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Virtualize with confidence. 

Manage additional workloads with ease. 
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VMware's Virtualization Security 
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IT PRO PERSPECTIVES 



Otey 

"New technologies will significantly 
change the way IT infrastructures are 
built and managed." 


How Virtualization, the Cloud, and Mobility 
Are Driving the Evolution of IT 

From an on-premises entity to a heterogeneous combination 
of internal and external resources 


M ore than any time in the past, the data center and 
even the role of IT are clearly in the beginning 
of an evolution. Although IT has always been 
changing rapidly, it's clear that we're entering 
a period in which new technologies will sig¬ 
nificantly change the way IT infrastructures are 
built and managed. The three main driving forces behind this IT 
evolution are mass adoption of virtualization, the rise of cloud 
computing, and the explosion of multiple types of powerful mobile 
devices. 

Virtualization has definitely changed the IT landscape. In 
just a few years, virtualization has moved from an experimental 
technology used only in test and development environments to 
a core infrastructure platform. Now, many businesses plan for all 
new servers to be virtualized—and they need to have a reason to 
implement physical servers rather than virtual servers. Although 
there are several contributing factors, server consolidation is the 
primary force that's driving the wholesale adoption of virtualiza¬ 
tion. Server consolidation lets organizations increase the rate of 
server hardware utilization while simultaneously decreasing the 
power costs and management requirements. In addition, high- 
availability technologies such as vMotion and Live Migration have 
also emancipated virtual machines (VMs) from their physical 
hosts, creating the foundation for the dynamic data center where 
VMs can be moved between hosts automatically in response to 
changing workloads. Virtualization is a core mainstream technol¬ 
ogy that will definitely alter the IT landscape for the foreseeable 
future. IDC studies have shown that one out of every five servers 
is virtualized today—but it seems clear that those numbers will be 
reversed in just a few years, and virtual servers will far outnumber 
physical ones. 

The cloud is also an emerging trend that will most certainly 
reshape IT. Although there's a certain school of thought that says 
the cloud is built on top of virtualization, that's not necessarily the 
case. Infrastructure as a Service (IaaS) offerings such as Amazon's 
EC2 and Azure's Hyper-V clearly rely on virtualization, and many 
other services are built on virtual servers. However, there's no 
inherent reason that cloud services must use virtualization. In fact, 
the abstraction of the services from their underlying implementa¬ 
tion is one of the main tenants of cloud computing. Whereas virtu¬ 
alization is well established, the cloud is still in its infancy. Just as 


virtualization abstracts the server from the underlying hardware, 
the cloud abstracts the service or application from the underlying 
infrastructure and lets you manage multiple servers and applica¬ 
tions as part of an overreaching service. The cloud is just beginning 
to be a viable option for businesses—but services are emerging 
that will provide businesses with compelling and ready-to-use 
solutions (e.g., Windows Intune, Microsoft Office 365). The cur¬ 
rent uptake might be slow, but the adoption of cloud technologies 
is sure to grow, transferring parts of the IT infrastructure to off- 
premises hosting companies. 

Mobility is the other main force that's driving the evolution of 
the data center. Smartphones, such as the iPhone, Android, Black- 
Berry, and Windows Phone, have evolved into way more than just 
phones. They're mobile computing platforms that keep us con¬ 
nected to corporate assets when we're out of the office. Further¬ 
more, the proliferation of mobile apps and widespread Internet 
connectivity have made smartphones useful productivity devices 
in their own right. One of the really interesting trends that I've seen 
in the mobility space is the virtualization of mobile devices. At 
VMworld 2010,1 saw VMware demonstrate a prototype of a virtual¬ 
ized mobile phone. Before that, I hadn't considered mobile devices 
a viable candidate for virtualization. However, it makes sense when 
you consider how many of us carry multiple devices for work and 
for home. Virtualization of mobile devices would allow you to carry 
one device with multiple personalities. In addition, it's clear that 
today's mobile devices are full-blown computers that will soon 
be capable of supporting virtualized environments—if they don't 
already. The use and support of multiple mobile platforms is mov¬ 
ing IT out of the office and into the field, as well as stretching the 
window in which IT assets must be accessible. 

Virtualization, the cloud, and mobility are driving the evolution 
of IT from an on-premises internally managed entity to a hetero¬ 
geneous multifaceted component that's composed of a combina¬ 
tion of internal resources, such as virtualized servers, and external 
resources, such as cloud services, that stretch IT outside the office 
space into an always-on and always-connected workspace. This 
evolution is occurring quickly and is already well underway. ^ 
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James 

"Many cybercriminals find success 
within the first 6 to 8 hours of their 
attacks, through unwitting users." 



Are Users the Weak Link in IT Security? 

Firewalls and antivirus software can only go so far 


F or most of 2011, the news headlines have been 
filled with tales of cyberheists and security failures. 
RSA got hacked, then the PlayStation Network, 
Citigroup, the US Senate, NATO, and Lockheed 
Martin. Anonymous and LulzSec have garnered 
huge amounts of attention for their exploits. And 
in all likelihood there were hundreds (if not thousands) of 
less-well-known cyberattacks that occurred in the same time- 
frame but went unnoticed or unreported. IT security seems 
to be a mess these days, with even the largest and most well- 
financed corporations and government organizations proven 
to have security defenses the consistency of half-eaten Swiss 
cheese. 

The nature of security threats has changed over the past 
few years, with amateur hackers and script kiddies giving way 
to professionals backed by significant skills and resources. 
According to Stu Sjouwerman, founder and CEO of secu¬ 
rity training company KnowBe4 and author of Cyberheist 
(KnowBe4, 2011), the trend toward more professional cyber¬ 
criminals won't be changing anytime soon. 

“Some of these cybercriminals are extremely well-funded, 
and they have their own labs filled with test machines, each 
running the latest version of most antivirus products. They'll 
find and exploit zero-day vulnerabilities in software like Adobe 
Reader, then send phishing test emails through all of this AV 
software," says Sjouwerman, who was also one of the founders 
of security vendor Sunbelt Software. “They'll find [a phishing 
email] that works, setup an email server, and send a few million 
phishing emails to a database of email addresses, then shut the 
server down within a day." 

The Case for Fixing Operator Error 

Sjouwerman told me that many cybercriminals find success 
within the first 6 to 8 hours of their phishing attacks, as unwit¬ 
ting users click on links designed to deliver a malware payload, 
such as keyloggers, Trojans, and other types of advanced per¬ 
sistent threats (APTs). Many of these attacks succeed because 
somebody clicks a link in a phishing email or is visiting a web¬ 
site that they shouldn't—or because they simply don't have a 
clue about basic IT security. We've all made mistakes, but I'm 
sure we all know someone—acquaintances, friends, family, or 
co-workers—who is constantly struggling with viruses, mal¬ 
ware, or other security issues. 


Sjouwerman argues that IT security is long overdue for a 
strategic rethink in order to face the changing nature of security 
threats. He contends that the days of IT security being satisfied 
with establishing a firewall, installing antivirus software, and 
keeping Windows servers patched are long gone. 

“Larger organizations frequently train employees about 
sexual harassment, but sexual harassment still happens in 
the workplace. The same thing is happening with IT security. 
Yearly security questionnaires or infrequent company-wide 
memos only go so far." What Sjouwerman advocates is a much 
more aggressive training and education regimen for users at 
every company, starting with informing users about the threat 
posed by phishing attempts and how to identify and combat 
them. 

“We all need to start taking security more seriously, and 
that really begins at the individual level," Sjouwerman says. 
“Ongoing testing and evaluation of employees by sending 
fake phishing emails is essential, as the costs of failure have 
increased dramatically." Sjouwerman also suggests a sliding 
scale for employees who continuously fail security tests, with 
verbal warnings leading to multiple written warnings, fol¬ 
lowed by eventual termination if an employee continues to 
fail. Sjouwerman points to banks that have a zero-tolerance 
policy for employees who flout or ignore security rules and 
guidelines; failure to comply with corporate security guidelines 
is met with immediate termination. 

What can an IT manager do to keep the bad guys out? 
Beyond the basics of installing and properly configuring fire¬ 
walls, installing antivirus/anti-malware software, and making 
sure server software, web servers, appliances, routers, brows¬ 
ers, and third-party plug-ins are patched and updated, edu¬ 
cating and training your users—backed with help from senior 
management and HR—should do wonders to improve your 
overall security posture. 

Do you have ideas for how to best train and educate end 
users about IT security basics? Send your advice and sugges¬ 
tions to me via email atjeff.james@penton.com, and/or follow 
me on Twitter @jeffjames3. ^ 
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SQL Server Foundations 

Join SQL Server expert Allan Hirt for this in-depth 
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brush up your skills, this six-part series is designed 
for you. 
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Exchange Server Licensing 

I just read B.K. Winstead's "Exchange 2010 
Architecture: Microsoft's Rajesh Jha Talks 
About the Future of Exchange" (June 2011, 
InstantDoc ID 129952). Interesting article. 
However, in each scrap of news regarding 
Exchange, one item is never mentioned: 
the licensing structure. 

We're a small business—about 300 
users—running Exchange 2003. Clearly, 
it's time to get something newer. After 
reading all the great news about Exchange 
2010, and how easy the transition is, 

I decided to work up a proposal to 
company management to upgrade our 
email system. That is when the ugliness of 
Exchange 2010 licensing hit me. 

We're on a tight budget, so our goal 
was to gradually introduce Exchange 
into our domain. That would allow me to 
migrate our users from Exchange 2003 to 
Exchange 2010 as we could purchase the 
CALs.The server license cost is negligible; 
the CAL cost is what counts. The problem 
is that as soon as I introduce the first 
Exchange 2010 box into the domain, I 
immediately have to purchase Exchange 
2010 CALs for my 300 users! So, even if I 
move only 20 or so to the Exchange 2010 
mailbox server, I still have to have 300 
CALs for Exchange 2010. Grrrr... 

Microsoft's reasoning is,"Since all incom¬ 
ing mail must go through the Exchange 
2010 Client Access Server, it uses Exchange 
2010. Therefore, the new CAL is required." 
What a cheap shot! It would have been easy 
for Microsoft—and a great service to its 
user base—to require the new CAL for each 
mailbox user.Then, I could have purchased 
the CALs as I moved the users. 

Why don't you ask your Exchange 
experts how that decision helps their 
users? I would be interested in their 
response. 


Thanks so much for writing! This is the first 
I've heard of this issue. I can see Microsoft's 
point—with Exchange 2010 in the environ¬ 
ment, all mail traffic should pass through 
that CAS, regardless of which Exchange 
server the mailbox is on—but it would be 
nice if Microsoft had some way to make 
allowance for the small business that's trying 
to migrate slowly for financial reasons. 

Our contributing editor for Exchange, 
Paul Robichaux, is very connected to the 
Microsoft Exchange team, and he also 
writes about licensing from time to time, as 
in "Exchange Server Licensing: (Some Of) 
Your Questions Answered" (InstantDoc ID 
129766). I forwarded your message to Paul 
to see what kind of insight he could offer, 
and he ended up publishing his response in 
"A New Wrinkle in Exchange 2010 Licensing" 
(InstantDoc ID 136425). As of this writing, 
Paul is working on another follow-up article. 

— B.K. Winstead 

Windows 8 Disillusionment 

I just read Paul Thurrott's "Windows 8 
Preview: An Analysis of the First Public 
Unveiling" (InstantDoc ID 136340). I must 
say that since Windows Vista, Microsoft 
has gone wrong! Windows XP had a con¬ 
sistent UI, so why do Vista and Windows 
7 have such complicated and incoherent 
Uls? And now Microsoft is bringing the 
extremely confusing Windows Phone 7 
interface to Windows 8? Do I need to see 
all that information across my UI all the 
time? Or does Microsoft think we need to 
constantly know about everything that's 
happening on Facebook and Twitter? I'd 
rather look at an ambient background 
photo on my PC. If Microsoft is moving 
forward with this UI idea, I might have to 
say goodbye to Microsoft, and that would 
be a pity. ^ 


—Alf Flowers 


—Raul Leal 

InstantDoc ID 139551 
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ow Thurrott 

"The Windows 8 Start screen Ul: Can you imagine it decked 
out with performance monitors, event viewers, admin utilities, 
and even a color-coded background that corresponds to the 
overall health of your environment? Of course you can." 



Windows 8, More Mango, Apple's "Lion," and iOS 5 


S ummer is generally quiet in the tech industry as 
consumer-oriented PC makers gear up for the back-to- 
school season. I typically spend it working on a book, 
but this year is different thanks to a quickening Micro¬ 
soft release schedule, the maturation of cloud comput¬ 
ing, and Apple's decision to pre-announce products. 

Windows 8 Start Screen Revealed 

The biggest ripple, surprisingly, involves the next version of Win¬ 
dows, which Microsoft finally admitted was code-named Windows 
8. (Shocker, I know.) We still don't know much about it, but what 
Microsoft revealed is exciting. Consider the new UI, shown in 
Figure 1. It's called the Windows 8 Start screen, and will be the 
default shell in all versions of Windows 8. Reactions to the Start 
screen have been visceral already, but I think Microsoft's on the 
right track. It's a user experience, or front end, that works equally 
well with multi-touch devices (including touch-screen Tablet PCs 
and iPad-like slates), mouse- and keyboard-driven portable and 
desktop computers, and remote- and hand controller-based media 
center PCs or Xbox 360 consoles (see Figure 2 ). 

The new Xbox interface isn't just identical to that of Windows 
8: It also works with unique Kinect capabilities, including voice 
control and, of course, hand gestures. And lest we forget, both of 
these interfaces are derived from the "Metro" UI Microsoft first 
deployed with Windows Phone 7 (see Figure 3). 

One user experience to rule them all? You betcha. The Windows 
8 Start screen UI would make for an excellent admin dashboard for 
servers. Can you imagine that experience decked out with perfor¬ 
mance monitors, event viewers, admin utilities, and even a color- 
coded background color (green, yellow, or red) that corresponds to 
the overall health of your environment? Of course you can. 

The Start screen, however, is controversial. Microsoft has so far 
said that it's supporting HTML 5, JavaScript, and CSS for the new 
full-screen apps that run off this new Start screen. And that has 
Silverlight and .NET developers in an uncomfortable bind. 

I'm sure—really, really sure—that Microsoft will still support 
a new native coding environment in Windows 8, and of course all 
legacy apps and code will still run in this new OS. It's Windows, 
after all. But we'll need to wait until September to learn more, 
when Microsoft hosts a new BUILD conference (a replacement of 
sorts for WinHEC, PDC, and MIX) where it will bare all. At least 
give Microsoft some credit for reaching for the stars. In an age in 
which the company is often criticized for moving too slowly, here 


is a single UI that's beautiful, usable, and that scales across virtually 
every computing usage scenario you can imagine. The possibilities 
are endless. Don't believe me? Consider this: In addition to the 
server admin dashboard I envisioned, it's also easy to picture how 
admins could lock down user desktops as needed, presenting a 
Start screen in which the only live tiles that appear are those for the 
apps users need to get their jobs done. Distractions are gone. 

And for you overworked IT pros and admins who were never 
going to grok Windows PowerShell, Visual Studio LightSwitch 
or any other "programming for dummies" tool that Microsoft 
misguidedly sends your way, think of it this way: HTML 5 and 
JavaScript are relatively easy by comparison. And my guess—yes, 
it's only a guess—is that the Start screen will likewise be a simple 
environment for which to code and control. 

I'm bubbling over with excitement on this one. For more 
information—much, much, more—please visit the SuperSite for 
Windows (winsupersite.com). 



Figure 1: The Windows 8 Start screen 



Figure 2: The new Xbox Dashboard 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


AUGUST 201 1 11 




















■ NEED TO KNOW 



Figure 3: Windows Phone "Metro" Ul 


Windows Phone "Mango" 

The software giant also unveiled the sec¬ 
ond major version of Windows Phone. 
Code-named "Mango," it will likely be 
marketed as Windows Phone 7.5. Due in 
late 2011, Mango adds a ton of new features 
to Windows Phone and fills in some func¬ 
tional gaps. What I've seen so far suggests 
Mango should put Windows Phone on 
par with, if not ahead of, the iPhone and 
Android competition from a functional and 
usability perspective. 

Microsoft says that Mango will include 
over 500 new features, and while I still 
question that math, there's no doubt it's a 
major upgrade. Core infrastructure changes 
include multitasking for third-party apps 
(with an excellent UI for app switching), 
background tasks and file transfers, back¬ 
ground audio playback for third-party apps 
(for Pandora, Skype, and other apps), and 
a new hardware-accelerated version of the 
Internet Explorer 9 Mobile web browser 
that, yes, is based on the desktop version. 

Microsoft is integrating Twitter and 
Linkedln with Mango, and bolstering its 
already-excellent Facebook integration 
with new features. Bing gets a major, major 
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update with Bing Audio, Bing Vision (visual 
search using the device camera), Local 
Scout, Quick Card, and App Connect func¬ 
tional additions. Hubs are being refined 
and in some cases redesigned, all built-in 
apps are getting updated, and SkyDrive and 
Office 365 are being integrated into the new 
Office hub. You can group contacts, and 
communicate with them using Facebook 
Chat, Windows Live Messenger IM, or SMS 
and MMS messaging, all from the same 
centralized UI. And the mail app is getting 
Conversation View and, a top user request, 
an integrated Inbox to group two or more 
email accounts together into a single UI. 

Other business-oriented updates 
include a new Lync IM and presence client, 
and, most crucially, an improvement to the 
already solid support for Exchange Active- 
Sync (EAC) policies. Now Windows Phone 
will support complex passwords, including 
alphanumeric passwords (but not device 
or memory card-based encryption). It will 
also support Microsoft's Information Rights 
Management (IRM) document protection 
through its Office hub and mail app. 

Skype 

In mid-May, Microsoft announced it 
intended to purchase Skype for $8.5 bil¬ 
lion, the company's biggest-ever purchase, 
assuming it's OK'd by antitrust regulators. 
The big question, however, is "Why?" 

I believe it boils down to three key things. 
First, Skype is a great consumer brand. 
Second, I think that Microsoft wanted to 
prevent its competitors—Facebook, Google, 
and Cisco being the most obvious—from 
getting Skype. Third, although Microsoft 
already offers virtually every capability 
in Skype via products like Lync (for busi¬ 
nesses) and Windows Live Messenger (for 
consumers), Microsoft's solutions utilize a 
client-server architecture. Skype is based 
on peer-to-peer technology, which might 
prove more resilient in certain situations. 

I wouldn't worry about Skype for now, 
given the lengthy governmental approval 
process. But I think you can expect to see 
Skype logos in virtually every end-user 
Microsoft product in the future. 

Office 365 

I've already written about Microsoft's stel¬ 
lar cloud productivity solution, Office 365, 
which is replacing the similar but less 


capable Business Productivity Online Suite 
(BPOS). But there's new news, as it is: Office 
365 launches June 28, 2011 and will be 
available for purchase—for subscription 
really—by individuals, small businesses, 
and enterprises. Office 365 should trigger a 
flood of cloud email migrations. I'll review 
it soon for the SuperSite for Windows. 

Apple's Mac OS X"Lion"and iOS 5 

Apple announced the next versions of 
Mac OS X and iOS, which will ship in July 
and later in 2011, respectively. What it 
didn't announce, for the first time in four 
years, was a new iPhone. So instead of a 
mid-summer launch, the next iPhone— 
likely marketed as the iPhone 5 or iPhone 
4S—won't ship until this fall at the earliest. 

Mac OS X "Lion" is an evolutionary 
update to Apple's aging Mac OS, but at 
least it's priced right: Just $29, with rights 
to install the product on as many Macs as 
you own. Apple is also taking the somewhat 
bold step of offering Lion only via electronic 
download from the Mac App Store, which 
means that all who own a Mac today will 
need to install their previous OS X version 
before re-upgrading to Lion if they wipe out 
their system in the future. Can you imagine 
if Microsoft required such a thing? 

From a functional and user experience 
stance, Lion isn't as far-reaching as Win¬ 
dows 8. It supports full screen apps, an App 
Store, quick resume, and a "grid of icons" 
LaunchPad, new trackpad-based naviga¬ 
tion, and window management tools. 

iOS 5 is more interesting. It's basi¬ 
cally implementing the best features from 
Android, BlackBerry, and Windows Phone. 
So iOS 5 devices—iPhone, iPod Touch, and 
iPad—will get a Notification Center based 
on a similar feature in Android; an Mes¬ 
sages interface that rips off BlackBerry Mes¬ 
sage Service (BMS); and several Windows 
Phone features, such as "pocket to picture" 
camera functionality, Twitter integration, 
Wi-Fi sync, and more. Microsoft corporate 
VP Joe Belfiore said he was "flattered" by 
the copying. 

InstantDoc ID 136415 
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Minasi 

"I've found this Windows 
configuration tremendously 
useful, and I think many of 
you will also." 



Creating a Dual-Boot Windows PE System, Take Two 

Adding WinPE to your Windows 7/Server 2008 R2 installation will keep you prepared 


I n "Adding Windows PE to Your Windows 7 System" (May 
2011, InstantDoc ID 129793), I talked about installing a 
copy of Windows PE alongside your Windows 7 or Windows 
Server 2008 R2 installation—that second Windows OS can 
greatly simplify some classes of maintenance, troubleshoot¬ 
ing, and disaster recovery tasks. The method I offered for 
retrofitting WinPE onto an existing system was a bit inelegant but 
simple to explain. This month, I'll begin a series that will show 
you how to install WinPE and Windows 7/Server 2008 R2 onto 
your system in a more streamlined fashion. Basically, you'll create 
a dual-boot system in five steps. The following steps might look a 
trifle ugly, but I've found this Windows configuration tremendously 
useful, and I think many of you will also. 

The Steps 

First, you'll install Windows 7 (or Server 2008 R2) onto a new sys¬ 
tem but tweak the install by pre-creating the "unlettered" partition. 
Recall that the Windows 7/Server 2008 R2 family prefers to create 
a 100MB partition wherein the OS stores the boot configuration 
database (BCD) and then does not give that partition a drive 
letter—thus keeping it hidden and safe from accidental user med¬ 
dling. We'll create that partition sized at 1GB rather than 100MB, 
however, to leave room for a copy of WinPE. That's necessary 
because all the Vista-and-later versions of Windows don't like to 
coexist with another copy of Windows on the same partition. You 
can avoid the need to create a third partition for WinPE (as I did 
in the earlier procedure) by simply expanding and exploiting the 
hidden partition. 

Second, you'll download the Windows Automated Installation 
Kit. The WAIK will provide two useful items: a working copy of 
WinPE in the form of a file named winpe.wim, and the imagex.exe 
tool that lets you install a WIM-type file onto a hard disk. 

Third, you'll deal with the fact that you can't image a WIM 
onto a partition unless that partition has a drive letter by using 
the Microsoft Management Console (MMC) Disk Management 
snap-in to temporarily give the 1GB partition a drive letter (i.e., 
T). Fourth, you'll use ImageX to put that winpe.wim file onto T. 
And fifth, you'll modify the BCD to add a new Boot WinPE option 
to the boot menu. 

That set of blueprints is obviously compressed, and none of 
the concepts should be entirely foreign. I've covered them all in 
the past two and a half years in this column. So, in this column 
and in forthcoming columns, I'll begin walking through the steps 
in more detail. 


Tweaked Install 

You're building a Windows installation from scratch, so start from 
a system that you don't mind wiping clean. Boot the PC from a 
Windows 7 or Server 2008 R2 Setup disk. On the Install Windows 
screen, choose your language, time and currency, and keyboard 
type, and click Next to get to the Install Now screen. 

At this point, you'll deviate from a standard Windows setup by 
pressing Shift-FlO to get a command prompt or—more correctly— 
a WinPE command prompt so that you can head Setup off at the 
pass and create a 1GB "unlettered" partition before Setup cre¬ 
ates a 100MB one. Dust off your Diskpart skills, and type these 
commands: 

diskpart 
list disk 

That will display all the physical hard disks that Setup can see 
on your system. On most workstations, that's going to show just 
one hard disk, disk 0. If, however, you're installing Windows on a 
system that has more than one disk, use the output of the List Disk 
command to identify the integer that names the disk you want to 
install Windows onto. Next, you'll wipe that disk clean, create a 
1GB partition on it, and mark that as the bootable partition with 
these commands: 

select disk 0 
clean 

create partition primary size=1000 

active 

exit 

exit 

After the two Exit commands, the command prompt window will 
be gone and you'll be back at the Install Now screen. Click Next, 
accept the license, and click Next. On the next wizard page, click 
Custom (advanced), instruct Setup to put Windows on the remain¬ 
ing unallocated large chunk of disk space, and let Setup run as 
usual. Once that's done, you'll be ready to blend in the WinPE 
magic—which I'll show you next month. ^ 
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Diskeeper 2011: Ensuring 
Maximum Performance on 
Windows 7 Systems 


By David Chernicoff 

Disk defragmentation software has undergone many 
changes since it was first introduced into the Windows 
environment. While it has become a standard part of the 
Windows utility toolkit and is even included in the native 
Windows utilities that ship with the operating system, 
there continues to be a lot of room for improvement over 
the basic facilities provided by the included Windows 
defragmentation tool. So if the operating system includes 
a defragmentation tool, why are third-party defragmenters 
an important tool for corporate IT? 

First-tier Windows defragmentation tools such as 
Diskeeper® 2011 data performance software, unlike the 
defragmentation tool included with the operating system, 
aren't there just to clean up a fragmented drive; they do far 
more than simply defragment the system hard drives. The 
most significant difference is in the principal approach and 
resulting benefits. Diskeeper 2011 prevents most fragmen¬ 
tation from occurring on the initial write, minimizing the 
amount of files that require defragmentation. And, with 
specialized background operations that keep the system 
running at peak disk performance, Diskeeper 2011 is ca¬ 
pable of optimizing the occasional files that do fragment, 
with little to no impact on foreground system processes. 


To compare the capabilities of Diskeeper 2011 with the 
native Windows 7 defragmentation utility, we set up a 
test scenario using some of the most common knowledge 
worker applications on popular business computer hard¬ 
ware. The tests focused strictly on fragmentation prevention 
and defragmentation; it didn't take into account the long¬ 
term optimization impact of Diskeeper on disk data or the 
on-going impact of Diskeeper optimizations. Regardless, 
our results found that Diskeeper 2011 fragmentation 
prevention and defragmentation resulted in performance 
benefits significantly beyond those delivered by the native 
Windows 7 utility. 
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It's not just about defragmenting 
anymore 

While the testing documented here continues to 
demonstrate the advantages of running Diskeeper 
data performance software on desktop systems 
to limit the impact that fragmentation causes on 
end-user workflow, it's important to note that the 
complete set of technologies tested could easily be 
described as more than the sum of their parts. 

The technologies that prevent fragmentation limit any 
fragmentation that occurs and optimize the utiliza¬ 
tion of the hard disk, reducing the amount of disk I/O 
that happens on a daily basis, and providing benefits 
beyond improved performance. By minimizing the 
amount of disk activity Diskeeper improves the over¬ 
all reliability of the system, increases the MTTF that 
affects all spinning media, and reduces the potential 
for file, system, and data corruption that commonly 
impacts business desktop users. 

How the tests were done 

All testing was done on two platforms, representa¬ 
tive of industry standard mid-high end desktop and 
notebook equipment commonly found in an office 
environment. Note that on older or less capable 
platforms, the impact of disk fragmentation can be 
much more severe. For the purpose of these tests 
we deliberately selected platforms that had the 
power to disguise the performance degradation 
symptoms that severely fragmented disks cause, by 
applying significant processing power and large 
amounts of system memory. 

For our desktop test systems we used a 

• Dell OptiPlex 980 

• Intel \7 (2.8 GHz) CPU 

• 1 TB 7200 RPM SATA Hard drive 

• 8GB DDR3 1333 MHz RAM 

For the notebook we used a 

• Lenova ThinkPad T150 

• Intel i5 520M (2.4/2.93 GHz) CPU 

• 500 GB 5400 RPM SATA hard drive 

• 4 GB DDR3 1066 MHz RAM 

For the operating system we used Windows 7 
Professional 64-bit, updated to be current as to the 
start of the test period. We used appropriate 64-bit 


versions of the test applications, Microsoft Office 

2010 (Word, Outlook, Excel, and PowerPoint), 
Adobe Photoshop CS 5, and Norton Security (for 
anti-virus testing). Backup tests were run using the 
native Windows 7 backup utility. Using Windows 
7 64-bit meant that applications were rarely, if 
ever, memory constrained, which minimizes the 
amount of swapping to disk that well-written ap¬ 
plications will do. 

Two types of testing were done for this paper. 

The first is what readers have come to expect 
from documents of this nature. We have run the 
standard knowledge worker applications and 
evaluated their performance with a fragmented 
disk, with the native windows defragmentation 
utility, and with Diskeeper 2011 being used to 
manually defragment the drive. This was done 
to show two things: that defragmentation was 
important to optimal performance and that 
Diskeeper defragmentation was more effective 
than the native Windows 7 utility. 

Diskeeper 2011, on the other hand, is designed 
to show optimum performance in the real world. 
Its core operation is designed to prevent fragmen¬ 
tation in the first place and optimize the writing 
of files to the disks reducing the need for after- 
the-fact defragmentation. To demonstrate this 
capability we ran a second set of tests. 

This second set of tests were designed to compare 
the performance of a system where Diskeeper 

2011 was configured in its normal fashion, with all 
disk optimization features active, versus the stan¬ 
dard Windows Disk Defragmenter running with its 
weekly scheduled defrag. 

Note that both the 64- and 32-bit versions of 
Office 2010 are supported on Windows 7 64-bit. 

In general, there are no noticeable performance 
differences between the two versions of Office in 
that environment. The main difference is when file 
sizes go over 2 GB. If an organization routinely 
generates files larger than 2 GB that need to be 
manipulated by Office applications, the 64-bit 
version might be called for. Because 32-bit Office 
Add-ins and ActiveX controls won't work with 
64-bit office, there is a tradeoff to be made. All 
of our testing was done with the 32-bit version of 
Microsoft Office 2010. 
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Figurel: Graphic display of fragmented drive from Diskeeper 2011 


Disk images were created for each system, which 
gave us a severely fragmented disk test. When the 
entire test application suite was installed the disk was 
70 percent full (Figure 1). This gave us a reasonable 
representation of the average, heavily used corporate 
knowledge worker computer with a level of fragmen¬ 
tation often found on corporate desktop computers. 

Once the appropriate fragmentation level was 
achieved on the test platform drive, the disk was 
imaged to an external drive, allowing the same 
starting configuration to be used for each test. 

The defragmentation software used was the native 
Windows 7 scheduled defragmenter and the final 
release candidate of Diskeeper 2011. 

Once the configuration was complete, we tested 
the computers in three states: 

• Base system image with fragmentation 

• System image defragmented with the native 
Windows 7 defragmentation utility 


• System image defragmented with 
Diskeeper 2011 (Figure 2) 

IntelliWrite performance testing 

IntelliWrite® technology is the technology in 
Diskeeper 2011 that can be enabled, on a per 
drive basis, to dramatically minimize file frag¬ 
mentation as the files are written to disk. This 
preventive measure has a cascading effect. To wit, 
the less the drive is fragmented in the first place, 
the less fragmentation happens as additional data 
is written to the drive. While IntelliWrite does 
an excellent job in conjunction with Diskeeper 
Automatic Defragmentation, it's not necessary to 
enable automatic defrag to see improvements. 

In our test, we used a 250GB drive volume that was 
38 percent full, with minimal fragmentation. We then 
ran a scripted test that utilized Microsoft Office ap¬ 
plications to simulate a weeks' worth of knowledge 
worker activities using these common applications. 
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Figure 2: Graphic display after defragmentation pass by Diskeeper 2011 
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Figure 3: Low performing fragment creation 


The defragmentation 
tests 

Enabling IntelliWrite fragmen¬ 
tation prevention on all drives 
provides the best performance 
results, reducing unnecessary 
I/Os and mitigating the need for 
after-the-fact defragmentation. It's 
important to note that in order to 
show performance results com¬ 
pared with the native Windows 
defragmenter it was necessary 
to test utilizing the defragmenta¬ 
tion functionality in Diskeeper. 
Simple defragmentation alone, 
of course, provides performance 
benefits but is limited when 
compared to advanced data op¬ 
timization technologies that have 
been born out of necessity to 
keep pace with current enterprise 
and data center needs. 

Each test was first run on the 
base, fragmented image. The 
image was then defragmented 
with the native Windows 7 de¬ 
fragmenter and the tests were 
run again. The disk was then 
re-imaged and defragmented 
with Diskeeper 2011, and the 
tests were run again. Each test 
was run a minimum of three 
iterations, with the system 
Figure 4: Total Excess Fragments created by test script being rebooted between each 

test pass to prevent the various 
Windows caching technologies from impacting 
the test results. All test results are reported in 
seconds. 
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Figure 3 shows that the creation of low-perform¬ 
ing fragments, which significantly increases the 
amount of time necessary to read a fragmented 
file, more than doubles without the use of the 
IntelliWrite technology. 

Figure 4 shows that the total number of excess file 
fragments increases even more than the number 
of low-performing fragments. Note that these tests 
were run on a drive with just over 60 percent of 
its total capacity space free; had the disk been 
more completely filled, and fragmented much as 
an average desktop hard drive, the differentiation 
would have been even more severe. 


Microsoft Word 

The Microsoft Word test comprises a large 15MB 
document that contains both text and images. 

Load time was measured from the point that the 
file was double-clicked and the application and 
document were fully loaded. The file save test was 
done by doing a "Save As..." and saving the same 
file, under a different name, to a different location 
on the hard disk. 
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As Figure 5 shows, the fragmented drive was sig¬ 
nificantly slower to read in both test systems. The 
file save, while quick, took almost twice as long 
on the fragmented system tests. Diskeeper, even 
with optimized file writes, still provided the fastest 
write speed in this test. 

Based on these tests we see a 13.2% average 
performance increase in open and save times 
on a system defragmented with the Win 7 
disk defrag versus the Diskeeper 2011 de¬ 
frag engine. The smallest increase came from 
the Notebook Word Save test at 1.6% with 
the largest increase in performance from the 
Desktop Word Open test at 19.4%. 

Microsoft Excel 

With Microsoft Excel we loaded a 6 MB spread¬ 
sheet that consisted of 10 sheets of data with 10,000 
rows and 25 columns. Timing was from the point 
we double-clicked the file until it was completely 
loaded. The save test was accomplished by writing 
the file to a different location on the disk. 

Because Excel is the application most affected by 
being moved to a 64-bit version, the results of this 
test are even more important, with the fragmented 
disk file loads taking almost a third longer than the 
Diskeeper optimized environment. Because complex 
spreadsheet support with documents exceeding 2 GB 


in size is one of the advantages of 64-bit Excel, users 
in that environment would be even more severely 
affected, in both loading and saving data, than the 
very noticeable results we show here (Figure 6) with a 
much smaller data set. 

The Excel tests showed an impressive average 
speed improvement of 21.7% on the Open 
and Save tests. The most dramatic improve¬ 
ment was seen during the Desktop Excel 
Save test where a 66.7% improvement was 
realized using simply the Diskeeper defrag 
functionality. 

Microsoft PowerPoint 

The Microsoft PowerPoint test file consisted of 
a 200-slide mixed media presentation that was 
just over 6 MB in size. Timing began when we 
double clicked on the file and stopped when the 
file was completely loaded. The save test was 
accomplished by writing the file to a different 
location on disk. 

Despite all of the media being contained in a 
single file, the load and save times indicate that 
PowerPoint is extremely sensitive to disk fragmenta¬ 
tion (Figure 7). Despite a file size similar to the one 
used in the Microsoft Excel test, the file save times 
took notably longer as PowerPoint processed and 
saved the presentation. The overall results indicate 
that disk defragmentation is criti¬ 
cal to optimizing read and write 
times for PowerPoint presenta¬ 
tions, with an improvement of 
up to 35 % when compared to 
the fragmented drive. 

Microsoft Backup 

In this test, we backed up a 
10,000 file subset of the data on 
the test disk to an external USB- 
connected hard disk. Timing 
was from the point the backup 
started until the application 
reported it was complete. 

Disk fragmentation has always 
been the bane of fast backups, 
and our tests confirmed this 
perception (Figure 8). Due to 


Microsoft Word 
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MS Word Open Fi le: 

Diskeeper is as much as 40% fester than no defragmentation and 16.1% faster than WDD 
MS Word Save File: 

Diskeeper is 49 % faster than no defragmentation and 14,1 % faster than WDD 


Figure 5; Results of the Open and Save tests with Microsoft Word 
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the nature of how backup works 
and the inherent overhead of 
transferring many small files, 
it's possible that our backup 
would have been even faster 
over a data connection with 
higher speeds than USB 2.0. 
Minimizing file fragmentation is 
critical to maximizing the per¬ 
formance of backup software. 

Even with the constraints 
of backing up to a USB 2.0 
connected external hard 
drive Diskeeper was able to 
maximize the backup perfor¬ 
mance of both test systems. 
With a fast 7200 RPM drive 
in the desktop configuration, 
Diskeeper improved backup 
performance by almost 12%, 
while with the slower note¬ 
book hard drive Diskeeper 
still provided a 6% perfor¬ 
mance improvement over 
WDD. 

Adobe Photoshop CS5 

In this test, we created a 120 MB 
TIF file by converting a RAW 
image from a Canon 5D Mark 
II, using Canon Digital Photo 
Professional. We then timed 
the process of opening the TIF 
image using Photoshop and 
timed from the point the file we 
double-clicked on the file until 
it was ready for editing. The Save 
test wrote the file out to another 
location on the hard drive. 
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MS Excel Open File: 

Diskeeper is as much as 31 .2% faster than no defragmentation and 14.6% faster than WDD 
MS Excel Save File: 

Diskeeper is as much as 61.2% faster than no defragmentation and 40% faster than WDD 


Figure 6: Results of the Open and Save tests with Microsoft Excel 


Microsoft PowerPoint 
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MS PowerPoint Open File: Diskeeper is as much as 36.9% faster than no defragmentation 
and furthermore showed an improvement over WDD 

MS PowerPoint Save File: Diskeeper is as much as 11% faster than no defragmentation 
and furthermore showed an improvement over WDD 


Figure 7: Results of Microsoft PowerPoint Open and Save tests 


The load times are exceedingly long due to the 
nature of the many modules that Photoshop loads 
on startup (Figure 9). With the fragmented disk the 
load times were excruciating slow. With a sched¬ 
uled backup tool such as the built-in Windows 
utility, the impact of fragmentation would quickly 
become noticeable to a user whose files weren't 
protected against fragmentation. 


Launching Photoshop on a fragmented hard 
drive can be an excruciatingly slow process 
that Diskeeper is able to improve by reduc¬ 
ing the application and file load time by 70%, 
from well over two minutes to 40 seconds. 

Norton Security Suite 

In this test, we launched a virus and spyware scan 
on a subset of the C: drive. Timing was from the 
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Backup: Diskeeper is as much as 38.5% faster than no defragmentation and 12% faster than WDD 


Figure 8: Results of the Microsoft backup test 


point we initiated the scan until the application 
reported 50,000 items scanned. 

With a small, 50,000 file security scan, 
Diskeeper 2011 cuts up to two minutes, or 
more than 22% off the time required to run 
the antivirus scan against those files. 

With only a small subset of the total number of 
files on the disk scanned by the antivirus software it 
quickly becomes clear that the larger the data set, 


the more the negative impact of disk fragmentation 
(Figure 10). Given that desktop AV solutions often 
aggressively scan entire machines, hopefully during 
slack usage times, disk defragmentation is critical for 
keeping the scanning from interrupting the console 
user and churning the hard drives unnecessarily. 

Real-World Simulation Tests 

In our real-world simulation test, a VBscript was 
run that generated a full workday's worth of end- 


Adobe Photoshop 
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Photoshop Load: 

Diskeeper is as much as 71 % faster than no defragmentation and 16% faster than WDD 
Photoshop Save: 

Diskeeper Is as much as 46% faster than no defragmentation 


Figure 9: Results of the Adobe CS5 Load and Save tests 
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Security Scan: 

Diskeeper is as much as 22.6% faster than no defragmentation and 9.3% faster than WDD 


Figure 10: Results of Antivirus scan test 


user activity on a busy environment. The script 
created, read, and wrote files using Notepad, 
Word, and Excel from the Microsoft Office Suite. 
The script ran in real time and was run once per 
day over a five day period. At the completion of 
each day, Diskeeper 2011 disk analysis was run to 
determine the level of fragmentation overall and 
to determine which files and directories were most 
fragmented. 

For these tests, Diskeeper was enabled to 
allow automatic defragmentation and to use its 
IntelliWrite technology to prevent fragmenta¬ 
tion from occurring in the first place. This is how 
Diskeeper would be used in the real world. The 
Windows Disk Defragmenter (WDD) used the 
default configuration to run weekly, which means 
that over the course of the five days of testing it 
would have only been run prior to the start of the 
tests and that the testing shows the fragmenta¬ 
tion that occurs, and its impact on system per¬ 
formance, between WDD runs as fragmentation 
builds up. 

After each day's workload was completed we 
ran the Diskeeper analysis tool to determine the 
amount of fragmentation that was occurring. This 
analysis showed that amount of fragmentation 
increased consistently each day with the stan¬ 
dard Windows 7 configuration. Roughly 20,000 
file fragments were the result of each day of 
simulated work, with the final total at the end of 


the five-day test of slightly more than 1 00,000 
total fragments. 

With Diskeeper 2011 active and properly con¬ 
figured the total number of file fragments after 
five days was 11. That is 1/100th of 1 percent of 
the total fragmentation that would be otherwise 
created over five days. This means that effectively 
there is no fragmentation when Diskeeper is 
running. 

To measure the benefit of this fragmentation pre¬ 
vention we ran three tests each day. The first two 
used the public domain utility Readfile to read all 
of the files in the directory for Notepad, then for 
Word. The third test was to copy and move a 2 GB 
file on the test partition. 

In Figure 11, you can easily see that the fragmenta¬ 
tion prevention allowed for similar read times across 
all five days of the test, and that when fragmentation 
was allowed the file read times eventually more 
than doubled by the last day of testing. 

While a single day of fragmentation resulted 
in read times that increased by 73% A week's 
worth of work results in file read times that 
increased over 145% 

A single day of fragmentation caused Word file 
read times to increase 144%, while a week's 
worth of work increased that to 175% 
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Test 1: Notepad 


Notepad (the lower score is better) 



Seconds to read Notepad files 


Figure 11: NotePad file read tests over 5 days 


Looking at the second test results (Figure 12), you 
can see that wth fragmenation, the more complex 
Word document files almost immediately more than 
doubled in read times and continued to get worse 
over the course of the tests to a point where the frag¬ 
mented files took almost three times as long to read. 

Defragmentation Proves Beneficial 

Consider what the test results here show: hard drive 
defragmentation provides a noticeable improve¬ 
ment in the performance of common office user 
tasks. This applies even to some tasks that are usu¬ 
ally automated and not initiated by the user. Not 
letting end user systems to reach the level of disk 
fragmentation we used in our test would clearly 
be to the advantage of any knowledge worker. 
Although regularly scheduled defragmentation, as 
the Windows native utility is capable of providing is 
a start, the advantages and performance benefits of 
Diskeeper 2011 are head and shoulders above that 
of the included utility. 

The native Windows utility defaults to a scheduled 
defrag pass once per week, ideally scheduled when 
the computer isn't being used for other tasks, and is 
designed to "catch-up" with any fragmentation that 
has occurred since the last pass. Even run as sug¬ 
gested, the disks defragmented with the Windows 
utility don't perform as well as those running 


Diskeeper 2011. And systems allowed to fragment 
show, at the least, significant performance degra¬ 
dation when compared to properly defragmented 
disks. Business and enterprise environments require 
the efficiency that Diskeeper provides in order to 
keep pace with knowledge worker demands. 

Diskeeper 2011 includes four technologies that 
work together to improve the user experience, 
improve system performance, and extend the 
useful life of the hardware (Figure 13 shows an 
example): 

• l-FAAST® technology, which optimizes file 
organization on the hard drive by placing 
the most used files on the fastest locations 
of a hard drive (note that this wasn't tested 
in this report), 

• InvisiTasking® technology, which allows for 
efficient and effective defragmenting as a 
real-time background process with little to 
no impact on the user experience, 

• And most importantly, IntelliWrite, which 
eliminates most fragmentation before it can 
actually happen. 

• InstantDefrag™ technology which uses 
data passed from I ntel I iWrite to immedi¬ 
ately defrag files so no newly fragmented 
files can slow performance. 
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Test 2: Word 


Microsoft Word It he lower score is better] 



Seconds to read Word files 


Figure 12: Read times for Microsoft Word files. 



Figure 13: Example of the continuing fragmentation prevention provided by Diskeeper 2011 


Our testing provides objective proof of the greater 
effectiveness of eliminating fragmentation using 
Diskeeper 2011 when compared to the native 
Windows defragger, along with the significant 


performance improvement over systems that aren't 
regularly defragmented. What the tests don't docu¬ 
ment are the additional advantages provided by 
long-term use of the tool: increased performance, 
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longer equipment life, and more efficient utilization 
of the hardware. Implementing Diskeeper 2011 im¬ 
pacts not just the end-user experience but also the 
IT staff by reducing the workload of those staffers 
responsible for supporting end-user systems. 

System slowdowns and apparent performance 
problems are among the most common reasons 
users will pick up the phone and call IT for help. 
By limiting the potential causes for those problems 
IT is able to recover resources that would have 
otherwise been required to do additional sys¬ 
tems maintenance to keep end users happy. This 
maintenance need, in many cases, can be negated 
by the automated disk management provided by 
Diskeeper 2011. 
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Director for PC Week Labs (now eWeek), former 
Lab Director for Windows NT/Windows 2000 mag¬ 
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Technology Officer for a network management 
tools ISV. David has been writing computer-related 
feature and product reviews for more than 20 years 
and is coauthor of a number of operating system 
books, ranging from the Windows NT Workstation: 
Professional Reference (New Riders Publishing), to 
the Microsoft Windows XP Power Toolkit (Microsoft 
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duction FAX technology. 
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TOP 10 


Otey 

"The SharePoint back end provides the 
backdrop that makes the components of 
Office 365 really useable and sets the Office 
365 offering apart from competitors." 



Features in Office 365 

Document collaboration with familiar apps and email from Microsoft's cloud offering 


ith Microsoft Office 365, Microsoft finally has 
a formidable entry into the office web appli¬ 
cation space. However, unlike its main com¬ 
petitor, Google Docs, there's no free version 
of Office 365. There are two basic editions of 
Office 365: Office 365 Plan P for professionals 
and small business, which is limited to 50 users, and Office 365 
Plan E for enterprises. Plan P is available for a subscription fee of 
$6 per user per month; Plan E is available in four different levels 
ranging from $10 to $27 per user per month. Let's take a look at 
some of the most important features in Microsoft's cloud-based 
Office 365 offering. 

C *\ Browser-based access —You access Office 365 by pointing 
) your web browser to the Microsoft Office 365 portal. Office 
365 is compatible with all the major browsers, including 
Microsoft Internet Explorer (IE), Firefox, and Safari. Notably, Office 
365 can be used from either a Mac or a PC. 

O High availability —Falling on the heels of recent outages 
from both Amazon and Microsoft's predecessor online 
service (Business Productivity Online Standard Suite— 
BPOS), you have to wonder how this claim will actually pan out. 
However, Microsoft is providing a 99.9 percent uptime guarantee 
for Office 365 and offering refunds for any outages. 

O Lync 2010 —Office 365 prompts you to download and install 
the new Lync 2010 client. Like Windows Live Messenger, 
Lync 2010 is an IM client that lets you conduct online meet¬ 
ings. Lync 2010 provides PC-to-PC audio and video connections. 
Unlike the other web-based members of the Office 365 suite, Lync 
2010 is installed to your desktop. 

O Web design app —Office 365 includes an easy-to-use— 
albeit limited—web page designer. You start the web design 
app from the built-in SharePoint site, and it provides a set 
of templates that let you quickly create and edit very simple web¬ 
sites. The web design app isn't nearly as rich in functionality as the 
other Office 365 web apps. 

O PowerPoint Web App —Office 365 includes web versions of 
the main Microsoft Office applications, as well as the desk¬ 
top Office suite applications at higher subscription levels. 
The PowerPoint Web App can create new presentations or open 
existing documents. I was pleasantly surprised at how similar the 


Web Apps are to their familiar counterparts in the desktop Office 
suite. I was immediately productive with Office 365 Web Apps. 

O OneNote Web App —Like its desktop counterpart, OneNote 
Web App is a note-taking application that doesn't require 
you to explicitly save your documents. The Web App is 
simpler than the desktop version of OneNote in that it doesn't have 
multiple tabs across the top. However, you can sync your desktop 
OneNote with the web version. 

O Outlook Web App —Outlook Web App (OWA) is the 
browser-based email client. Office 365 OWA uses Exchange 
Online running on Exchange Server 2010 as its mail host 
and provides the same left pane navigation, reading pane, and 
calendar functions that Outlook users have come to know and love. 
Each user gets 25GB of email storage. 

O Word Web App —Arguably one of the foundation pieces to 
the Office 365 suite, the Word Web App can be used to edit 
documents. It includes all the basic word processing fea¬ 
tures, such as formatting, word wrap, and spell checking. As a 
heavy Word user, I was pleasantly surprised with how fast and use- 
able the Word Web App is. Like their desktop counterparts, all the 
Office web apps feature the Ribbon UI. 

O Excel Web App —The cornerstone of the Office 365 suite, 
the Excel Web App lets you create and edit Excel work¬ 
books. It works much like the desktop Excel client and 
provides support for basic Excel functions and formulas. It also 
supports multiple users simultaneously editing the same 
worksheets. 

O Team Sites —One of the core features of Office 365 that 
makes it really useful is the built-in SharePoint site. Office 
365's Team Sites feature is actually a hosted SharePoint 
Online site that both enables online storage for Office 365 docu¬ 
ments and allows multiple users to collaborate on those online 
documents. The SharePoint back end provides the backdrop that 
makes the components of the Office 365 suite really useable and 
sets the Office 365 offering apart from competitors such as Google 
Docs. ^ 
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ENTERPRISE IDENTITY 


Deuby 

"If you were starting from scratch 
today, would you even want to host 
your own identities locally?" 

Outsourcing Your Identity with IDaaS 

The benefits and drawbacks of introducing it into your environment 



dentity professionals are becoming familiar with federa¬ 
tion technology as a secure way to manage Internet single 
sign-on (SSO) to cloud service providers, but there's another 
way to handle Internet identity management that's gaining 
popularity: essentially outsourcing identity itself. 

Ironically, installing federation services to simplify your 
Internet identity management increases your on-premises IT 
environment and skill requirements. It usually requires one—or 
more, for suggested high availability—server instances in your IT 
infrastructure, as Figure 1 shows. Some federation products are 
simple to install, some are complex and require consulting ser¬ 
vices, but all require some local expertise to install and maintain. 
A relatively new but growing sector in the identity business applies 
a cloud-computing service model to this need. 

At its core, cloud identity is about securely extending your com¬ 
pany's identity to cloud-computing service providers, and federa¬ 
tion is a key component to achieve that. But the federation service 
doesn't necessarily need to reside on your company's premises. 
Identity as a service (IDaaS) moves the federation service point 
from within your IT infrastructure to the SaaS provider: Instead of 
hosting, configuring, and maintaining the federation servers your¬ 
self, the service provider hosts the servers, as Figure 2 shows. 

How Does IDaaS Work? 

Because your identities are still required for federated SSO, an 
agent or server is installed inside your company's firewall that can 
perform LDAP queries against your Active Directory (AD) domains 
to obtain user and group objects. The agent has an LDAP over 
HTTPS (LDAPS) connection established with the IDaaS provider, 
which mirrors the desired AD objects to a local LDAP store such as 
AD Lightweight Directory Service (AD LDS). Generally, the user's 
password isn't mirrored to the IDaaS provider's data store. Because 
the agent-to-provider connection uses HTTPS, no extra ports need 
be opened in the firewall to allow the traffic. 

To access SaaS applications, the user authenticates to the 
IDaaS provider (for example, to http :/ /usercompany.idaaspro- 
vider.com) with his or her enterprise account and password. 
Because the IDaaS provider doesn't store the user's password, the 
authentication request is passed back to the on-premises agent, 
which actually performs the authentication against the local AD 
implementation. The successful logon is passed back to the IDaaS 
provider. A portal then allows the user to choose from a range of 
SaaS applications that he or she can access without entering any 
other user IDs or passwords. This is known—in a slightly different 
context—as a "NASCAR screen" because it resembles an array of 
sponsor logos on a NASCAR race car. 


The scope of AD objects that are mirrored to the IDaaS provider 
can generally be restricted on a per-OU or per-group basis. Imple¬ 
mentations vary depending on the product, but this seems to be 
the most popular architecture. 

IDaaS Benefits 

Using IDaaS instead of on-premises federation solutions provides 
a number of benefits. IDaaS solutions require a very small on¬ 
premises footprint—generally, a single server or multiple agents 
(though a fault-tolerant or high-availability configuration would 
be desirable for companies that heavily depend on SaaS applica¬ 
tions). They're generally simple to set up and don't require a highly 
trained identity staff. They scale well because as you use more and 
more SaaS applications you don't need to add more and more 
federated trusts between your company and the SaaS provider; 



Figure 1: Requirements of installing federation services 



Figure 2: The IDaaS service provider hosts the servers 
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IDENTITY AS A SERVICE ■ 


the IDaaS provider has already established 
trusts with hundreds of SaaS providers, and 
you simply access the IDaaS provider. The 
pricing structure reflects service orienta¬ 
tion also, because you're generally charged 
based on the number of users who access 
the service and how many SaaS applica¬ 
tions they have access to. 

But one of the biggest benefits that 
IDaaS providers have to offer over on¬ 
premises federation solutions is their “one 
stop shopping" approach to identity man¬ 
agement. Depending on the provider you 
choose, they can offer not only SSO but 
also access management, account pro¬ 
visioning and de-provisioning, identity 
management, and auditing as part of the 
same solution. 

Also, because of the service model 
architecture, the moving parts of identity 
management are hidden from its users. 
Users don't care whether federation, dupli¬ 
cate accounts, or smoke signals are used 
to provide SSO, as long as it works. IDaaS 
providers take advantage of this abstrac¬ 
tion layer to add technology that makes 
SSO available for SaaS applications that 
wouldn't otherwise support it. For exam¬ 
ple, many smaller SaaS providers don't 
yet support federation. In the on-premises 
federation architecture, if the SaaS provider 
your users want (e.g., a specialized service 
that caters to a narrow market) doesn't 
support federation, you're out of luck and 
must manage duplicate accounts. IDaaS 
providers use various techniques behind 
the scenes to automate authentication 
with these providers, so their users have 
seamless access to them just as if they were 
federated. 

IDaaS Drawbacks 

Every service architecture has its draw¬ 
backs, of course, and IDaaS is not without 
its share. First, as a long-time IT infrastruc¬ 
ture guy I'm more than a little uncomfort¬ 
able with this configuration because I 
always look for the worst-case scenario. 
This architecture means you must always 
pay a service provider—a third party— 
to maintain and operate the gateway to 
essentially all your cloud applications. Do 
you want that kind of vulnerability? What 
happens if you're tight for cash, or your 
account clerk misses a payment or two? 
Are all your accounts suddenly suspended? 


Do your company's cloud-related opera¬ 
tions come to a screeching halt? And what 
if you're a cutting-edge new company that 
doesn't maintain any local identity store at 
all? What happens when you don't pay the 
bill? Can you operate at all? 

To be fair, the counter-argument that 
small companies and startups generally do 
a lousy job of maintaining their computing 
infrastructure also has merit; the IDaaS 
provider may well increase the customer's 
stability. I've seen enough small businesses 
to know this is an unfortunate reality. 

Next, the IDaaS method of user authen¬ 
tication to the service provider is arguably 
less secure than claims-based authenti¬ 
cation because passwords do travel out¬ 
side the company's firewall (even though 
they're encrypted via SSL) to and from 
the provider. The security of the session 
is therefore paramount. The connection 
should use server-side SSL certificates, and 
the agent authentication process should be 
very secure. Claims-based authentication, 
in contrast, contains no passwords. A coun¬ 
ter-argument to this potential vulnerability 
is that, at a corporate level, IDaaS is more 
secure than an on-premises federation- 
only configuration because its compre¬ 
hensive SSO capability means there will 
be little to no need to manage duplicate 
accounts at SaaS providers that don't sup¬ 
port federation. 

Another concern is that the IDaaS archi¬ 
tecture requires a subset of your identities 
to be stored off premises. It might be only 
a subset of your total corporate identities, 
without passwords, and it's only a mirror 
of them (i.e., changes are made to AD and 
mirrored to the IDaaS identity database; no 
changes are initiated at that database), but 
it's still a copy of your identity information 
given to a third party. 

Well, federation works in much the 
same way. It provides identities with some 
attributes (not passwords), presented as 
claims, to a service provider. The ser¬ 
vice provider automatically manages these 
identities as a mirror of their original status 
in AD. If an account authorized for federa¬ 
tion has its authorization revoked, or is dis¬ 
abled in AD, this revocation is immediately 
mirrored to the service provider. 

Because of its reliance on a single 
LDAPS session between identity provider 
and service provider, another potential 


drawback is that the IDaaS architecture 
is susceptible to Denial of Service (DoS) 
attacks. If someone hammers port 443, 
no one in your company can use SaaS 
apps or—if you've outsourced your identity 
store to the IDaaS provider—any identity 
information at all. Of course, this kind of 
DoS attack would disrupt many other off- 
premises services as well. 

The IDaaS model is popular with small- 
to-midsized businesses (SMBs) or startups 
because they have little to no identity infra¬ 
structure. If you were starting from scratch 
today, would you even want to host your 
own identities locally? If you accept the 
risks I've presented, IDaaS might be very 
appealing. But interest in IDaaS doesn't 
seem to be limited to small companies; 
some very large enterprises are using it 
(though I don't know how broadly it's used 
in those companies). 

The IDaaS Market 

The IDaaS market is small but growing. 
Much of the work that needs to be done is 
customer awareness and education; most 
companies are still in the process of first 
understanding federation to support cloud 
computing services, and IDaaS is one layer 
of abstraction beyond that. Products such 
as Okta, PasswordBank, Ping Identity's 
PingConnect, and Symplified are the early 
and dominant players in this market. An 
indication of the expected growth of the 
market, however, is that large companies 
such as Intel (with its Expressway Cloud 
Access 360) have recently launched their 
own IDaaS products. 

As cloud computing services continue 
to expand and grow in popularity, cloud 
identity solutions are also evolving to deal 
with these services. IDaaS takes a core 
piece of the traditional enterprise infra¬ 
structure and makes it into a service itself, 
which allows you to manage access to SaaS 
applications with minimal effort. As you 
examine the different ways that you can 
securely manage your company's Internet 
identity, you should give the IDaaS model 
a close look. ^ 
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■ ASK THE EXPERTS 


■ Microsoft Outlook 

■ Microsoft App-V 

■ Hyper-V 


■ iSCSI 

■ Active Directory 



ANSWERS TO YOUR QUESTIONS 



Q: What's an Outlook form? 

At It was suggested to me recently that 
I shouldn't use the term "Outlook form" 
because some people might not under¬ 
stand its use in certain contexts. However, 

I think you should know this term. 

When you go see your doctor for the 
first time, you probably get a clipboard 
with paperwork to fill out. You fill out 
these forms to facilitate transactions 
between you and your doctor. In Windows 
applications, a form is part of the Ul 
in which you enter information to an 
application. In Microsoft Outlook, each of 
the windows where you enter content— 
for example, a new email message or a 
new calendar appointment—is called 
an Outlook form. Outlook forms include 
Message (for email), Contact, Meeting 
Request, and Appointment. Other default 
Outlook forms includeTasks, Journal 
Entries, Distribution Lists, and RSS Articles. 
These default forms are stored in the 
Standard Forms Library for Outlook. There 
are additional libraries as well, including 
Personal Forms and Organizational Forms 
if you have an Exchange Account. 

Each folder within the Outlook hierar¬ 
chy has a default Outlook form associated 
with it. As you would expect, a mail folder 


such as your Inbox has the Message form 
as the default, and the Contacts folder 
opens the Contact form as its default. To 
see the list of available forms in Outlook 
2010, navigate to Home, New Items, More 
Items, Choose Form. In Outlook 2007, you 
would navigate to File, New, Choose Form 
to open the Choose Form dialog box. 

The drop-down menu at the top shows 
the libraries where Outlook forms can be 
made available. 

The default Outlook forms are interper¬ 
sonal message (IPM) types. You might see 
references to forms with the prefix IPM, 
such as IPM.Appointment or IPM.Contact. 
These are the names assigned to the forms 
for New Appointment and New Contact, 
respectively. Almost all items visible in 
Outlook have the prefix IPM, which is 
especially important to developers for call¬ 
ing default forms or naming custom forms. 

Custom Outlook forms are created to 
provide an interface to applications using 
Outlook as the Ul. One such application 
is Microsoft's Business Contact Manager 
(BCM), which uses several custom forms, 
including the New Business Contact 
Form. Outlook provides a viable option 
for developers of applications outside of 
email to incorporate the Outlook Ul into 
their applications using forms. 

—William Lefkovics 
InstantDoc ID 136198 

Q: I have several virtual machines 
(VMs) running on Hyper-V linked to 
the same external virtual network. 
When they communicate with one 
another, does the traffic actually 
get passed to the physical network 
card? 
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Q: I'm trying to deploy OSs 
from System Center Configura¬ 
tion Manager (SCCM) 2007 but 
I'm getting an error saying that 
the PXE certificate has expired. 
What do I do? 

A! By default, SCCM uses a self- 
signed certificate for the PXE com¬ 
munications, which has a configured 
expiration date. This certificate can be 
replaced with an alternate certifi¬ 
cate, or the expiration date can be 
changed by opening the Configura¬ 
tion Manager Console, navigating 
to Site Database, Site Management, 
site, Site Settings, Site Systems, server 
and selecting the properties of the 
ConfigMgr PXE service point. Under 
the Database tab, change the date of 
the PXE certificate expiration. 

—John Savill 
InstantDoc ID 136312 


A! Hyper-V has various types of virtual 
networks. An external virtual network 
is one that's linked to an actual physical 
network device, enabling communication 
to the network that's connected to the 
network adapter. If you have multiple VMs 
connected to the same external network 
and they communicate with each other, a 
common question is whether that traffic 
actually gets sent down to the physical 
network adapter that the external network 
is connected to. 

The answer is no. Hyper-V is smart 
enough to optimize networking traffic 
and, providing it's unicast VM-to-VM traffic 
on the same Hyper-V host via the same 
external virtual network, the traffic is sent 
without ever hitting the physical NIC. If the 
VMs were on the same host but connected 
to different external virtual networks, this 
optimization wouldn't apply—the traffic 
would hit the network adapter and the 
underlying network. 

—John Savill 

InstantDoc ID 136314 
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Q: What are some best practices 
for defining a new Active Directory 
(AD) administrative delegation 
model? Why is it important to dif¬ 
ferentiate AD service administra¬ 
tors from AD data administrators? 

Al The goal of any AD administrative del- 
egation model is to ensure that delegated 
administrators can't gain sufficient rights 
to elevate their own privileges to those 
of a full administrator, such as a domain 
or enterprise administrator. Delegated 
administrators should only be granted 
the fewest privileges possible to perform 
the administrative tasks they've been del¬ 
egated to do—no more, no less. If the role 
of a Help desk operator is to reset users' 
passwords, there's no need to give this 
group full control over an Organizational 
Unit (OU) containing all user accounts, 
allowing the Help desk operator to make 
many other changes to user accounts and 
other objects in the same OU as well. This 
is commonly referred to as the principle of 
least privilege, and it's a general security 
best practice. 

The AD access control model allows 
you to implement most administrative 
roles in such a way that no AD privilege 
elevation is possible, but there are certain 
roles where this can't be guaranteed 
because of the AD and Windows OS 
security model. For example, Enterprise 
Admins, Schema Admins, Domain Admins, 
and Administrators are highly privileged 
groups, whose members have complete 
control over the forest or the domain in 
which they reside. 

But there are also other default AD 
groups that give accounts the capabil¬ 
ity for an elevation-of-privilege attack 
against AD. Although this would have to 
be performed via a malicious act, either 
intentionally or not (e.g., by leveraging a 
virus), members of a group such as Server 
Operators can elevate their privileges 
fairly easily to become administrators of a 
domain controller (DC), the whole domain, 
or the whole forest. Members of the Server 
Operators group can log on locally to DCs 
and perform critical tasks such as backup 
and restore of the DC. More important, 
they have sufficient privileges to change 
and install new binaries on a DC, which 
allows them to inject code to the DC that's 


executed with higher privileges than the 
Server Operators group has itself. Such 
code could add the user to a more highly 
privileged group. Since the members of 
the Account Operators group control 
the membership of the Server Operators 
group, the same risk applies to these users. 

That is why it's a best practice to differ¬ 
entiate between two types of administra¬ 
tors for any AD administrative delegation 
model: service administrators and data 
administrators. 

Service Administrators 

Members of groups that grant sufficient 
rights to allow physical access to DCs, 
perform configuration changes to the AD 
(e.g., security, replication changes), have 
administrative rights over any DC, or can 
manage any Group Policy that affects DCs 
(these are domain- or site-level GPOs) are 
considered service administrators. 

Members of the AD groups listed in 
Table 1 are considered service adminis¬ 


Table 1 

Active Directory 
Group Name 

Default 

Adminstrative Scope 

Enterprise Admins 

Forest 

Schema Admins 

Forest 

Administrators 

Domain 

Domain Admins 

Domain 

Server Operators 

Domain 

Account Operators 

Domain 

Backup Operators 

Domain 

Printer Operators 

Domain 


trators by default. Members of custom 
groups that grant similar permissions to 
those named above (for example, full con¬ 
trol of an AD site, which allows site-level 
group policy management) must also be 
considered service administrators. 

Data Administrators 

Members of custom-defined groups that 
are granted permissions to control objects 
within only certain OUs and that have no 
permission to directly administer a DC 
are considered data administrators. These 
custom-defined groups include the groups 
created for computer and user administra¬ 
tion within an OU, group-membership man¬ 
agement, or the management of specific 
member servers. 


Any service administrator in an AD for¬ 
est must be highly trusted by the company 
that owns the forest. A company must 
consciously accept the risk for the poten¬ 
tial of an elevation-of-privilege attack and 
should implement appropriate means to 
audit the activity of service administra¬ 
tors. Also, the groups that grant service 
administration privileges should be tightly 
controlled and monitored so that changes 
don’t go unnoticed. Ideally, AD service 
administration should be completely 
controlled by only using the following 
default administration groups: Enterprise 
Admins, Schema Admins, Domain Admins, 
and Administrators. But overall, the usage 
of service administrator groups should be 
avoided and instead be implemented at 
the OU level via separate custom-defined 
data administrator groups. 

—Jan De Clercq 

InstantDoc ID 136138 

Q: How can I use the Windows 
Performance Toolkit to trace 
the startup performance of my 
machine? 

A: With the Windows Performance Toolkit, 
you can collect detailed traces of what's 
happening in the OS when you run certain 
applications. You might want to trouble¬ 
shoot, or just view, what's happening dur¬ 
ing an OS boot, and you can do that too. 

If you've installed the Windows Perfor¬ 
mance Toolkit, you can use the Xbootmgr 
command to set up tracing of a Windows 
boot. Use 

xbootmgr -trace boot -traceFlags 

base+drivers+power+cswi tch -numRuns 

1 -resultPath C:\TEMP 

Once you enter this command, the 
machine will shut down and reboot. Once 
the machine has rebooted and you log on, 
you might see a screen saying that the tool 
is still collecting, and asking if you want 
to let it continue and to allow the tool to 
elevate permissions. A warning will also 
be shown that says the trace could contain 
sensitive information, so use caution when 
sharing it. 

After the tool's done, go to the folder 
you specified and several files will be 
present: a log file, a .cab file, and a very 
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large .etl file that contains all the col¬ 
lected data. You can view the .etl file with 
Xperfview—double-click the ETL file to 
automatically open it. (Opening it can 
take some time because Xperfview has 
to parse the file.) You'll see a graphical 
view of the boot, including the logon. 
Information about the CPU, disk, services, 
processes, drivers, hard faults, and ready- 
boot will all be shown to help identify 
where any delays in boot are occurring. 
Click the arrow on the left to select which 
graphs to display. 

—John Savill 

InstantDoc ID 139479 

Q: How can I show a second time 
zone in calendar view in Outlook 
2007? 

A* You might have an office in a second- 
ary location, or perhaps you or one of your 
users is traveling and would like an easy ref¬ 
erence to a secondary time zone displayed 
in Microsoft Outlook. The calendar view in 
Outlook 2007 givess you the ability to add 
a second time zone column.This feature is 
also available in Outlook 2010. 

To add the second time zone in Out¬ 
look 2007, go to Tools, Options and select 
Calendar Options on the Preferences tab. 
Next, clickTime Zone under Advanced 
options to open the Time Zone dialog box. 
By default, the current time zone doesn't 
have a label, but a field is available to add 
one. When you select the check box for 
Show an additional time zone, the other 
fields become available for editing. Now it's 
easy to see the time in a second location 
while viewing events in your time zone. 

This time zone setting is held in the 
registry and therefore can be managed 
centrally with Group Policy, logon scripts, 
or other management tools. The DWORD 
SecondaryTZ subkey can be toggled on 
or off with a value of 1 or 0 respectively. 
The labels for the time zone columns in 
the calendar view are string values called 
ShortNamel and ShortName2 as follows: 

HKEY_CURRENT_ USER\Software\ 

Microsoft\Office\12.0\Outlool<\Options\ 

TimeZone 

"SecondaryTZ"=dword:00000001 
"ShortNamel"-"US West" 

“ShortName2"-"England" 


Adding a second time zone in the calendar 
view doesn't affect items stored in your 
calendar.The additional column is for 
display and comparative purposes only. If 
necessary, you can swap time zones. Going 
back to the Time Zone dialog box, you'll 
see a button on the bottom left labeled 
Swap Time Zones. All this does is switch 
the two columns and display your calendar 
events at the time they would occur in the 
second time zone. This doesn't change the 
calendar appointments or meeting times; 
it changes only the display of those events. 

—William Lefkovics 
InstantDoc ID 136197 

Q: How do I get a system tray 
notification of new mail on an 
IMAP account with Outlook? 

At The Microsoft Outlook implementa- 
tions of IMAP have always seemed to 
have some imperfections that are cause 
for annoyance. The latest problem has 
been the lack of a new mail envelope 
in the system tray when new messages 
arrive in IMAP accounts. This system 
tray notification works fine for Microsoft 
Exchange Server accounts and even for 
POP3 accounts. For IMAP accounts, this 
feature doesn't work. It doesn't work even 
when you have a profile with multiple 
accounts—the new mail envelope appears 
only for the non-IMAP accounts. 

There's no fix from Microsoft, if indeed 
this really needs fixing; however, there's 
a third-party plug-in that provides this 
functionality for free. Programmer and 
computer science PhD grad student 
Emil Stefanov created an application he 
calls Outlook Email Notifier (OEN), which 
creates the envelope icon in the system 
tray for IMAP accounts. You can download 
the application from Stefanov's website 
(tinyurl.com/6lxebmn). 

The small setup.exe file installs a .vsto 
file. You can install this plug-in while Out¬ 
look is open; however, Outlook will require 
a restart to recognize the addition. You 
can identify the plug-in within Outlook 
2010 by navigating to Tools, Options and 
selecting Add-Ins.There's no actual Ul for 
this plug-in; it has a very simple function: 
You'll now see an envelope in the system 
tray for new email messages, including 
new messages received on IMAP accounts. 


The envelope is a little larger than the 
envelope you typically see in Outlook. 

If you have only an IMAP account, you'll 
see only the OEN plug-in rendition of the 
new mail envelope. If you have an IMAP 
account plus another account type, you'll 
see multiple envelopes—the slightly larger 
envelope is displayed by the OEN plug-in. 

If you're using Outlook 2010 on 
Windows 7, there's another mechanism to 
view the new mail envelope. The Windows 
7 taskbar shows icons of applications in 
use. When new mail arrives in Outlook 
2010, the Outlook logo icon changes to 
include a little envelope overlapping the 
icon. In this case, the envelope shows 
regardless of what protocol is in use for 
the Outlook account. 

Overall, this little Outlook annoyance 
does have options for those who are using 
IMAP and simply must have the little enve¬ 
lope in the system tray to identify new email. 

—William Lefkovics 
InstantDoc ID 136199 

Q: What iSCSI network accelera¬ 
tions do Windows Server 2008 and 
Server 2008 R2 have? 

At Server 2008 and Server 2008 R2 
include support for four network accel¬ 
erations that specifically benefit iSCSI 
connections. These accelerations require 
participation from hardware components, 
so verify support from your manufacturers. 
When they're supported, each increases 
the performance of iSCSI connections. 

• TCP Chimney Offload transfers TCP/IP 
protocol processing from the server's 
CPU to the chipset on the network 
adapter. This feature sometimes requires 
separate licensing from the network 
adapter manufacturer. 

• Virtual Machine Queue (VMQ) 
distributes received network frames into 
different queues based on the target 
virtual machine (VM). It uses hardware 
packet filtering to reduce the overhead 
of routing network packets to VMs. This 
distribution allows different CPUs to 
process the incoming data. VMQ must 
be supported by network adapters, and 
is commonly associated with Intel NICs 
and processors. 

• Receive-Side Scaling (RSS) distributes 
the load from network adapters across 


22 AUGUST 2011 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 




ASK THE EXPERTS ■ 


multiple CPUs. It was first available 
in Server 2008 RTM, with R2 adding 
improved initialization and CPU 
selection at startup. 

• NetDMA is the final acceleration. This 
feature offloads the network subsystem 
memory copy operation to a dedicated 
engine to improve performance. 

—Greg Shields 

InstantDoc ID 136361 

Q: If I'm using Microsoft Applica¬ 
tion Virtualization (App-V) for 
Remote Desktop Services (RDS), 
when does an application that's 
been updated get updated on the 
RDS server? 

A: When a virtualized application is 
started on a typical App-V client, the client 
checks with the App-V server for updates. 

If an update to the virtualized application 
is available, the update is pulled down into 
the local cache and the updated version of 
the application is launched. 

With App-V for RDS, the local cache is 
shared between all the users logged onto 
the Remote Desktop Session Host (RDSH). 
Update behavior is different for these 
multi-user environments. The application 
can't be updated in the App-V cache until 
there are no active users of the application. 
So, in order to update the application, you 
need to ensure that no users on the RDSH 
are using the application. You'll probably 
have to stop users from logging on while 
the cache is updated. 

Another option would be to create a 
new application and advertise it to your 
users instead of updating the application. 
This way, users can continue to launch the 
application and they’ll get the updated 
version, while users who are currently 
working with the application could carry 
on with the old version until they restart 
the application. Once everyone is on the 
new version of the application, you can 
remove the old one. The one disadvantage 
to this approach is that, depending on the 
application, your users could lose some of 
their settings, because the update would 
be seen as a new application—customiza- 
tions that App-V had stored wouldn't carry 
over to the new version. 

—John Savill 

InstantDoc ID 136316 


Q: What policies configure iSCSI 
Multipath I/O (MPIO) behavior? 

Al MPIO is commonly used to aggre- 
gate multiple iSCSI network adapters. 

This aggregation can be used for failover 
or for load-balancing traffic between a 
server and its storage. You can configure 
an MPIO-enabled LUN in Windows Server 
2008 R2 with one of six different policies: 

• Failover only is used to provide 
additional availability should a 
connection fail, but doesn't provide load 
balancing or network aggregation. 

• Round robin is the default setting 
for most connections. It aggregates 
network connections, sending data 
equally across each connection. 

• Round robin with a subset of paths adds 
one or more additional failover adapters, 
which are used only when each member 
of the round robin group has failed. 

• Least queue depth also provides for 
network aggregation but sends each I/O 
request through the connection with 
the least number of requests in queue. 

• Weighted paths provides network 
aggregation but adds the ability to 
manually assign weights to different 
paths. These weights determine how 
heavily each connection is used in 
comparison with the others. 

• Least blocks is similar to Least queue 
depth in that it unevenly distributes 
I/O requests; however, this policy 
sends each I/O request through the 
connection with the least number of 
pending I/O blocks. 

Prior to setting any of these policies, 
ensure that your storage hardware sup¬ 
ports their use. 

—Greg Shields 

InstantDoc ID 136362 

Q: Do I need to run antivirus 
software in my virtual desktop 
infrastructure (VDI) OS images? 

At The answer will very much depend 
on the type of virtual machine (VM).The 
question of antivirus or any malware 
protection is really based around the extra 
load that malware protection places on 
the environment, plus licensing costs of 
the malware protection clients. 


There are two types of client VMs used 
in VDI infrastructures: persistent and non- 
persistent. Persistent VMs are created and 
used for a prolonged period and not recre¬ 
ated frequently. These persistent VMs can 
be used as part of a pool shared between 
users, or a VM can be assigned to a par¬ 
ticular user, but because the OS within the 
VM has a long lifetime, you need to treat it 
like a typical desktop. Therefore, it needs 
standard protection, including antivirus 
software. 

Non-persistent VMs are typically the 
more debated type of VM. With a non- 
persistent VM, the client OS is typically 
created as the user needs it for a session 
and then deleted when the user logs off. 
Often the argument is, why bother with 
antivirus on these OS instances? Even if 
the OS gets a virus, it'll be wiped out on 
logoff, and any damage to the OS will be 
undone. 

You need to consider what viruses do 
today, however. In their early days, viruses 
wanted to be known and notoriety was 
sought by writers—the actual damage 
done by them was normally fairly minimal. 
Today, most viruses are out to make 
money by grabbing credit card details 
and passwords and then replicating out 
to other machines. This damage—stealing 
information—is done when the virus is 
installed, so even though the installa¬ 
tion of the virus would be wiped when 
the VM is reset, the damage has already 
been done. This is why, in my opinion, you 
should have antivirus protection on any 
OS instance, even if it will only exist for a 
short time. It takes less than a second for a 
virus to do its damage. 

I would stress caution, however, as 
to which antivirus solution you use and 
which heuristics are enabled. Some 
antivirus solutions can use large amounts 
of CPU resources, and they can adversely 
affect the performance of your VDI imple¬ 
mentation, so research and testing are 
critical. 

There are VDI-specific antivirus solu¬ 
tions available that run a very small piece 
of in-memory code in the client VM to 
reduce footprint, and run a larger scan on 
the actual parent partition (with Hyper-V) 
of the file-based resources. 

—John Savill 
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■ ASK THE EXPERTS 


Q: I've heard that using Lync or 
Office Communications Server 
(OCS) in a Remote Desktop environ¬ 
ment isn't recommended. Why not? 

A! You should talk to your Microsoft 
support representative for the most 
recent information, because the situation 
is evolving. For now at least, the funda¬ 
mental issue is the quality of the service. 
Remote Desktop has had bidirectional 
audio support since Remote Desktop Pro¬ 
tocol 7. (RDP 7 was introduced with Win¬ 
dows 7 and Windows Server 2008 R2, but 
the Remote Desktop Connection client has 
been updated for Windows Vista SP1 and 
Windows XP SP3 to add RDP 7 support.) 
The problem isn't the bidirectional audio; 
it's making sure the Lync or OCS client has 
the correct information about the network 
to optimize the experience. 

When you run the Lync or OCS client 
on your local machine, the client can ana¬ 
lyze the server and its connection to it. It 
can then optimize audio quality and other 
factors based on the available network, 
ensuring that you get the best experience 
for your connection. Now imagine you 
run the Lync client on a Server 2008 R2 
Remote Desktop Server Session Host or 
Windows 7 virtual machine (VM) in the 
datacenter and connect remotely to that 
OS using RDP from a remote location. The 
Lync client will analyze the connection to 
the server (which would likely be in the 
same datacenter) and see a great network 
connection with no latency, so it will be 
configured for that setup. However, you're 
actually sitting at a different location with 
a very different network, so the quality of 
your voice and video will suffer. 

You can still use the IM, presence, and 
Web conferencing features of Lync with 
RDP and be supported, but not the audio 
and video features. The official support 
statement is available on Microsoft's site. 

—John Savill 
InstantDoc ID 129596 

Q: How can I find the short service 
name of a Windows service from 
the service display name? 

A: Services in Windows have two names— 
their easy-to-understand display names 
and their actual service names, which is 


how their configuration is stored in the 
registry (under HKEY_LOCAL_MACHINE\ 
SYSTEM\CurrentControlSet\services). If you 
know the display name and want to find 
the service name, the easiest way is to run 

sc query 

from the command line.This will list 
information about all the services on a 
box, including the service name and the 
display name. You can dump the results to 
a file by adding > file.txt to the command, 
and then search the file for the service. 
Using PowerShell is much easier, though: 
Just use the get-service cmdlet and pass 
the displayname, as shown here: 

get-service -DisplayName "Network 
Location Awareness" 

—John Savill 

InstantDoc ID 129597 

Q: What's the easiest way to 
determine the Windows Firewall 
profile that's currently active on my 
Windows 7 box? 

A: You can discover the active Windows 
Firewall profile from the startup page of 
the Windows Firewall with MMC Advanced 
Security snap-in. To start this snap-in, type 
wf.msc in the Search programs and files box 
of the Start menu. To find out the active 
profile, look at the main page of the snap- 
in that is visible on startup: In the overview 
section, it should say, for example, Private 
Profile Is Active. 

You can also find the active firewall 
profile using the Check firewall status 
option in the Control Panel, or from the 
command line using the Netsh command 

netsh advfirewall show currentprofile 
—Jan De Clercq 

InstantDoc ID 129589 

Q: How can I enforce the appli¬ 
cation of machine Group Policy 
Object (GPO) settings on a Windows 
client? Are there any differences 
here between Windows 2000 and 
Windows Server 2008? 

A: On a computer running Windows 
7, Server 2008 (and R2), Windows Vista, 


Windows Server 2003, or Windows XP, you 
can enforce the application of machine 
GPO settings by typing the following 
command: 

gpupdate /target:<computer_name> 

/force 

Make sure you're doing this in the security 
context of an administrator account and 
that you replace computer_name with the 
correct machine name. 

On a computer running Windows 2000, 
you must use the following Secedit com¬ 
mand to achieve the same thing: 

secedit /refreshpolicy machine_policy 

—Jan De Clercq 

InstantDoc ID 129591 

Q: I installed the System Center 
Service Manager (SCSM) Self- 
Service Portal onto my SCSM 
Management Server. I get an error 
and see that the SM_AppPool has 
errors and been disabled. What's 
wrong? 

A: When SCSM is installed, you have 
to specify an account that will host the 
management service that gets given 
specific permissions. In addition to 
specifying this account during installation, 
you should actually be logged on as the 
account during installation. If, like me, you 
were actually logged on as Administrator 
and then installed SCSM and the portal, 
you need to manually grant the Service 
Manager service account permissions over 
the application pools. Navigate to the .NET 
Framework folder, as shown below, and 
then run the command shown using your 
domain and service account name. 

C:\Windows\Microsoft.NET\Framework\ 
v2.0.50727>aspnet_regiis.exe -ga 
<domain>\<service manager service 
account> 

For example, 

C:\Windows\Microsoft.NET\Framework\ 
v2.0.50727>aspnet_regiis.exe -ga 
savdemo\svcmgrsvc ^ 

—John Savill 

InstantDoc ID 129564 
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Harden your 
virtualization 
infrastructure 

by Alan Sugano 


S erver virtualization has many benefits, including savings on hardware, power, and 
cooling, as well as simplified management. Anyone who's been in IT for any length of 
time has dealt with a computer that was infected with spyware, a virus, or possibly a 
rootkit. If the infected computer is a physical machine, you can at least shut it down 
or unplug it from the network to prevent further infection. But what if the infected 
computer is a virtual machine (VM)? Or worse, what if the infected computer is a 
VMware ESX host? 

If a host is compromised, a hacker can create new rogue VMs or create a hyperstack or hyper¬ 
jack attack. A hyperstack attack is similar to a man-in-the-middle attack, in which the original 
hypervisor is replaced with a rouge hypervisor but the legitimate hypervisor and hardware 
are unaware of the compromise. The rogue hypervisor is then privy to all the communication 
between the original hypervisor and the VMs. A hyperjack attack is a compromise of the hyper¬ 
visor, similar to a rootkit infection on a physical computer. There have been a few documented 
hypervisor attacks, and it's just a matter of time before an ESX attack is released into the public 
domain. 

When a hypervisor is compromised, determining the source of attack is very difficult because 
the machine is a VM. The problem is even worse if the hypervisor is part of a cluster. The rogue 
VM could be moved from one host to another and possibly even replicated to a remote site using 
SAN replication. If a host gets infected in a cluster, you'll probably have to take down your entire 
virtualization cluster and clean up the mess. 

I hope I've raised enough concerns to convince you that virtualization security is indeed 
important. The basic tenant of virtualization security is to protect the virtualization host at all 
costs. If a host is compromised, you might not be able to fully recover your environment. I teach 
a 5-day course on this subject, so this article obviously isn't a comprehensive tutorial on how to 
harden your virtualization environment. However, the suggestions I highlight in this article can 
be a significant help in hardening your virtualization infrastructure in a VMware environment. 


Protected Management Network 

The most important step you can take to protect your ESX hosts is to establish a protected 
management network for your hosts, as Figure 1 shows. This dedicated management network 
is protected from the other internal networks. In Figure 1, the only way to manage the ESX host 
is to access the Virtual Host Management Computer. This computer typically runs VMware 
vCenter Server. 

To access the management network, the network administrator must authenticate to the 
SSL VPN, which is set up for two-factor authentication. After the network administrator is 
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authenticated through Active Directory 
(AD), he receives a one-time password 
(OTP) via text message to his cell phone. 
(If a network administrator receives an 
OTP but wasn't accessing the SSL VPN 
appliance, his AD username and pass¬ 
word have been compromised.) After 
authenticating to the SSL VPN, the net¬ 
work administrator receives a shortcut for 
using RDP to access the vCenter server. 

A firewall rule is created to allow SSL 
(TCP port 443) traffic to pass from the 
virtual server network to the dedicated 
management network. For further secu¬ 
rity, you can restrict the firewall rule to 
allow only specific IP addresses to access 
the SSL VPN appliance on the protected 
network. We typically allow all traffic to 
pass from the dedicated management 
network to the virtual server network. 
In the event of an attack, this dedicated 
network should buy you extra time to 
further isolate the network before any 
information is compromised. 

This approach is consistent with pro¬ 
tecting the host at all costs. Although this 
kind of strategy with a VPN appliance 
is somewhat uncommon, it's appropri¬ 
ate for an enterprise environment with 
multiple ESX administrators. If you don't 
want to use an SSL VPN, I still strongly 
suggest that you use a dedicated man¬ 
agement network and that you open up 

www.windowsitpro.com 


TCP port 3389 (i.e., Terminal Server) on 
the firewall so that network administra¬ 
tors can access the vCenter server. 

The concept of a dedicated manage¬ 
ment network is consistent with today's 
security model of siloing. Siloing seg¬ 
ments a network into logical subnets so 
that users don't have access to comput¬ 
ers they don't need access to. I prefer 

Any time a VM is 
moved from one 
host to another, 
the traffic moves in 
clear text. 

using a firewall to implement siloing 
rather than using a switch or router 
because the logging, management, and 
troubleshooting tools are significantly 
better on a firewall. The following should 
also be considerations in a dedicated 
management network: 

• HP Integrated Lights-Out (iLO)/Dell 
Remote Access Controller (DRAC) 
cards—These cards let the network 
administrator gain remote console 
access to an ESX host even when 
it's turned off. However, they must 
be plugged in to the dedicated 

We're in IT with You 


management network rather than the 
public network to prevent leaving an 
open back door to the host. 

• Switch management—Should 
be accessible only from the 
management network. 

• Firewall management—Should be 
accessible only from a dedicated 
management network. 

• UPS management—If you're running 
a UPS with a network-enabled 
management card, this card should 
be plugged in to the management 
network; otherwise, a hacker 
could launch a Denial of Service 
(DoS) attack against all the VMs by 
accessing the UPS management card 
and simulating a power failure. 

On ESX or ESXi, you can estab¬ 
lish management presence on a spe¬ 
cific network card on the ESX host. In 
the vSphere Client, on the ESXi host, 
select the Configuration tab and click 
Networking. Select Add Networking, 
VMkernel, Use this port group for man¬ 
agement traffic. Then, assign a static IP 
address to the host. Figure 2 shows an 
example of a dedicated management 
network on ESX. 

In this example, a dedicated ESX man¬ 
agement network was created with an 
ESX host IP address of 192.168.x.x. As you 
can see, all the other VMs are isolated on a 
separate network called VM Network. The 
two VMs that are connected to this man¬ 
agement network are running vCenter. All 
other VMs on the ESX host are connected 
to the separate VM network. 

Another important step in ensuring 
a secure virtualized environment is to 
configure your hosts with an adequate 
number of network cards. vMotion (ESX) 
lets you move a VM from one host to 
another host while the VM is running. 
Isolating traffic, especially vMotion traf¬ 
fic, is a security consideration as well as a 
performance consideration. You should 
establish a dedicated isolated network 
for vMotion, because any time a VM is 
moved from one host to another, the traf¬ 
fic moves in clear text—including every¬ 
thing that's currently in RAM—which 
creates a significant security risk. 

For standalone hosts, you need three 
network cards, as Table 1 shows. For 
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Figure 2: ESX host with dedicated management network 


clustered hosts, you need seven network 
cards, as Table 2 shows. 

On ESX, VMware Distributed 
Resource Scheduler (DRS) performs 
automatic load balancing between ESX 
hosts. You create a resource pool of two 
or more ESX hosts, then run VMs on that 
resource pool. When a host gets over¬ 
loaded, some of the VMs are automati¬ 
cally migrated to other ESX hosts in the 
resource pool that have lower utilization. 
VMware Distributed Power Management 
(DPM) automatically consolidates VMs 
onto fewer ESX hosts when the VM 
load is light. ESX hosts are automati¬ 
cally powered down when they aren't 
in use. When the VM load increases, the 
ESX hosts are started and the VMs are 
migrated to the newly started hosts. It's 
especially important to create an isolated 
network for vMotion moves on DRS- and 
DPM-enabled clusters because you can't 
predict when a vMotion move will occur. 
An added benefit of a dedicated vMotion 
network is the improved performance of 
vMotion migrations because of reduced 
network contention. 

ESX Hardening Guidelines 

Establishing a dedicated management 
network is just one step in hardening 


your virtualization infrastructure. Next, 
let's look at some ways to make your ESX 
hosts more secure. 

According to VMware, vSphere 4.1 
will be the last version to include both 
the ESX and ESXi versions of vSphere 
Hypervisor. All future releases of vSphere 
Hypervisor will include only ESXi. The 
main reason for this change is security. 
ESXi removes the Service Console and 
Web Server from ESX, making the foot¬ 
print significantly smaller. I suggest that 
you move to ESXi now because you'll be 
forced to move to it in the next release of 
vSphere. You must learn the Command- 
Line Interface (CLI) on ESXi, which is the 
replacement for the Service 
Console in ESX. Before you 
upgrade, make sure that any 
third-party applications or 
applications that run in the 
Service Console have com¬ 
patible versions that work 
with ESXi. 

If you can't migrate to ESXi 
yet (in my experience, about 
half of all shops have yet to 
migrate from ESX), make sure 
that you adhere to the follow¬ 
ing best practices for access¬ 
ing the ESX console: 


• Disable remote root access. This 
access is disabled by default, 
but many administrators enable 
remote root access after ESX is 
installed. Instead of logging on as 
root, create an additional user with 
administrator rights to perform your 
ESX console management. 

• Use sudo. When logging on to the 
ESX console, use sudo rather than 
logging on as root or using su. 

When you use sudo, all the console 
commands are logged in \var\log\ 
secure. If you log on as root or use 
su, not all the console commands 
are logged. I suggest removing or 
disabling su so it can't be used. 

• Use host profiles. Host profiles 
are included in VMware vSphere 
Enterprise Plus. After you harden an 
ESX host, you can use host profiles 
to clone the ESX host configuration, 
determine which ESX hosts are out 
of compliance, and automatically 
remediate them. Host profiles ensure 
that you have a consistent ESX host 
configuration across all the ESX hosts 
in your virtualization infrastructure. 

• Configure the ESX firewall. Verify that 
the ESX firewall is enabled with only 
the proper ports. Issue the command 
esxcfg-firewall -q to view the current 
firewall settings. Table 3 contains a 
list of ESX ports and their use. 

Use vCenter's Update Manager plug¬ 
in for patch management. I suggest using 
vCenter to manage your ESX hosts. Even 
VMware vSphere Essentials includes a 
license for VMware vCenter Server for 
Essentials, which eliminates the excuse 


Table 1: Three Network Cards on a Standalone Host 

Number of Cards 

Purpose 

1 

Dedicated management network 

2 

Redundant connection for VMs 

| Table 2: Seven Network Cards on a Clustered Host 

Number of Cards 

Purpose 

1 

Dedicated management network 

1 

Cluster heartbeat 

1 

vMotion 

2 

Redundant iSCSI SAN connection 

2 

Redundant connection for VMs 
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| Table 3: ESX Ports and Their Use 

Port 

Purpose 

When to Disable 

22 

SSH (console access) 

SSH access isn't necessary 

67 and 68 (UDP) 

BootPS/DHCP diskless boot 

Not booting from network image 

111;2049 

NFS client 

Not using NFS-based storage 

902 (UDP) 

VMware Heartbeat/vCenter Agent 

If vCenter Server isn't used 

5988; 5989 

CIMHttp/CIMHttps Monitoring/ 
Management Server 

If CIM monitoring software isn't used 

27000; 27010 

ESX licensing 

If only using host-based licensing 
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Figure 3: VM with a nonpersistent disk enabled 


that vCenter is too expensive. Using 
the vCenter Update Manager automates 
the patching of all your ESX hosts and 
VMs running on the hosts. You should 
run vCenter on a physical server. You 
won't be able to patch the ESX host if 
your vCenter server is a VM and you're 
not in a cluster, because you must shut 
down all the VMs on the host before you 
can patch the host. vCenter lets an ESX 
administrator establish very fine-grained 
privileges when managing an ESX host 
and cluster. 

Purchase commercial SSL certificates 
for ESX hosts. By default, ESX and ESXi 
use self-signed certificates. These certifi¬ 
cates are subject to man-in-the-middle 
attacks and should be replaced with 
commercial SSL certificates. 

Perform VM image backups. Although 
this practice isn't directly security related, 
it can help you recover in the event of 
a major attack. I suggest performing 


regular *.vmdk image backups of VMs. 
This action significantly simplifies and 
accelerates the recovery process of the 
VM, especially if the VM is running 
Microsoft Exchange Server, SQL Server, 
or SharePoint Server. 

Use Trusted Platform Module (TPM) 
on ESX hosts. TPM chips first appeared 
as an option on laptops to prevent a 
rogue OS from booting on a laptop and 
optionally as a way to encrypt a laptop's 
hard drive. TPM chips are now available 
as an option on the current generation 
of servers. You can use a TPM chip on an 
ESX host that serializes the ESX version 
with the TPM chip to provide additional 
protection against a hyperstack or hyper¬ 
jack attack. 

If you're running ESX or ESXi 4.1, be 
sure to apply the patch that addresses the 
root password authentication/trunca¬ 
tion problem. When you set a root pass¬ 
word in ESX or ESXi 4.1, the password 


is authenticated only to the first eight 
characters. The rest of the password is 
truncated regardless of its length. For 
more information about this problem, 
see the VMware Knowledge Base article 
“ESX 4.1 and ESXi 4.1 root passwords are 
authenticated up to only 8 characters" at 
kb.vmware.com/kb/1024500. 

Don't use nonpersistent disks. Verify 
that you don't have any nonpersistent 
disks on any of your VMs. If nonpersis¬ 
tent disks are enabled on a VM, all the 
changes to the disk are discarded when 
the VM is turned off. This is a great way 
for a hacker to cover his tracks. One of 
the few legitimate uses of a nonpersis¬ 
tent disk is in a lab environment where 
all the changes to the VM are removed 
after the VM is turned off. This setting 
can be changed only when a VM is off. To 
check whether a VM has nonpersistent 
disks enabled, start vSphere, right-click 
the VM, and select Properties. Click the 
VM's hard drive and review the VM's hard 
disk mode. The Independent check box 
shouldn't be selected. Figure 3 shows a 
VM with a nonpersistent disk enabled. 

Plan Ahead to Avoid Disaster 

This article isn't a comprehensive set of 
instructions for hardening your virtual 
infrastructure—realistically, an entire 
book could be written on this subject. 
However, the techniques that I suggest 
will go a long way toward securing your 
virtual infrastructure in a VMware envi¬ 
ronment. Although implementing these 
suggestions can be a significant amount 
of work, it's still less work than clean¬ 
ing up the mess if your virtualization 
infrastructure is compromised. For more 
information about security in a virtual 
environment, see VMware's “vSphere 
4.1 Hardening Guide" at communities 
.vmware.com/docs/DOC-15413. ^ 
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EATURE 



o Active Directory 


Replication 

In Depth 


n "Troubleshooting Active Directory Replication" (March 2011, InstantDoc ID 129333), 
Sean Deuby presented several strategies for solving Active Directory (AD) replication 
problems. To troubleshoot AD replication at a deeper level, it helps to have an in-depth 
understanding of how replication works when changes occur in the directory. AD was one 
of the first LDAP directories to introduce multi-master replication, whereby changes can 
originate in any instance of the directory (i.e., on any domain controller—DC). Previously, 
_as with Windows NT 4.0, changes could originate on only one DC, the Primary Domain 



works Controller (PDC). Multi-master replication has numerous inherent benefits, but it presents 


a complex problem: how to coalesce and replicate changes to the directory. Throughout this 
article, I'll refer back to the simple three-DC domain that Figure 1 shows. 


by Brian Desmond 


Keeping Track of Replication 


AD uses several counters and tables to ensure that every DC has the most current information for 
each attribute and object and to prevent any endless replication loops. AD uses naming contexts 
(NCs), also known as directory partitions, to segment replication. Every forest has a minimum of 
three NCs: the domain NC, the configuration NC, and the schema NC. AD also supports special 
NCs, often known as application partitions or non-domain naming contexts (NDNCs). DNS uses 
NDNCs (e.g., DomainDnsZones, ForestDnsZones). Each NC or NDNC replicates independently 
of one another. 

Every DC maintains a special counter known as an update sequence number (USN) counter. 
The USN is a 64-bit number that you can think of like a clock. The USN counter is never decre¬ 
mented, and a USN can never be reused. Each DC maintains a separate USN counter that starts 
during the Dcpromo process and is incremented over the lifetime of a DC. It's improbable that 
any two DCs in a forest will ever have the exact same USN at the same time. The USN counter is 
incremented each time a transaction occurs on a DC. Transactions are typically create, update, 
or delete operations against an object. An update transaction might include updates to a single 
attribute, or it might include updates to many attributes. In the event that a transaction fails and 
is rolled back, the USN assigned to the transaction isn't reused. When an object is modified (or 
created), the usnChanged attribute of that object is stamped with the USN of the transaction 
that caused the change. You can therefore keep track of changes to AD by asking a DC for all 
the objects for which the usnChanged attribute is greater than the highest USN the last time 
you checked. 

Table 1 illustrates a simple example of the changes to the USNs of two DC s over time. 
Consider a scenario in which you create five new groups on DC-A. This apmm wn^pcrernent 
DC-A's USN counter by five. DC-A then replicates these groups to DC-M whose USN counter 
is incremented by five. (Note that the initial USN values in Table 1 were ^hosen for illustration 
purposes.) Subsequently, you edit the m pw counter 
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Learning Path 

To learn more about Active Directory: 

"Recovering from Active Directory Disasters," 
InstantDoc ID 129989 


"Troubleshooting Active Directory Replication," 
InstantDoc ID 129333 

"Delegating Privileges in Active Directory," 

InstantDoc ID 129156 

"Troubleshooting from the Wire up for Active Directory 
and Beyond," InstantDoc ID 128973 

"Extending the Active Directory Schema," 

InstantDoc ID 126022 

"Kerberos in Active Directory," InstantDoc ID 125786 

"Advanced Active Directory Security," 

InstantDoc ID 125777 

"Incorporating RODCs into Active Directory," 

InstantDoc ID 125624 

"Virtualizing Active Directory," InstantDoc ID 125464 

"Create Active Directory MMC Consoles for Down-Level 
Administrators," InstantDoc ID 103678 

"Soothe 5 Active Directory Headaches," 

InstantDoc ID 103576 

"Speeding up AD Replication Across Your Forest," 
InstantDoc ID 137294 


"Why AD Replication Troubleshooting Is Hard," 
InstantDoc ID 137277 


is incremented by one. When the change 
in name replicates to DC-A, DC-A's USN 
counter is incremented by one. 

From the perspective of DC-A, when 
the five groups are created, this is consid¬ 
ered to be an originating write. From the 
perspective of DC-B, this is a replicated 
write. Conversely, when a group's name 
is updated on DC-B, DC-B considers 
this action an originated write and DC-A 
considers it a replicated write. 

The AD replication process identi¬ 
fies all the DCs participating in the 
replication process using two globally 
unique identifiers (GUIDs). The first 
GUID, the Directory Service Agent (DSA) 
GUID, is established during Dcpromo 
and doesn't change for the lifetime of 
the DC. The DSA GUID is stored in 
the objectGuid attribute of the NTDS 
Settings object under the DC as shown in 
Active Directory Sites and Services. The 



second GUID, the Invocation 
ID, is the identifier for the DC 
during the replication process; 
it might change during the DC's 
lifetime. 

The Invocation ID is stored 
in the invocationld attribute of 
the NTDS Settings object. Any 
time a restore is performed on 
a DC by a supported restora¬ 
tion process, such as Windows 
Server Backup or NTBACKUP, 
that DC's Invocation ID is reset. 

By resetting the Invocation 
ID, AD is able to ensure that 
the DC receives a copy of any 
changes that occurred on that 
DC between when the backup 
was taken and when the restore 
was performed. Because the 

The Active Directory 
replication process 
identifies all the 
domain controllers 
participating in the 
replication process 
using two GUIDs. 

Invocation ID is the 
unique identifier for the 
DC during the replication 
process, the reset of the 
Invocation ID effectively 
ensures that the DC enters 
the replication process as 
a new DC and there are no 
assumptions about data 
that might already exist 
on that DC. Improper res¬ 
toration of a virtualized 
DC, such as restoring or 
reverting back to a saved 
snapshot, won't reset the 
DC's Invocation ID. This 
leads to a situation known 
as USN rollback, which 
can cause severe replica¬ 
tion problems. 

Now that we've dis¬ 
cussed how replication 


keeps track of DCs and changes, we can 
take a look at how replication determines 
what changes need to be replicated to a 
given DC and how replication ensures 
that changes aren't unnecessarily rep¬ 
licated. Two tables are used for this 
process: the High-Watermark Vector 
(HWMV) and the Up-To-Dateness Vector 
(UTDV). The HWMV is maintained inde¬ 
pendently by each DC to keep track of 
where it left off (in terms of the last USN) 
replicating an NC with a given partner. 
The UTDV is used by DCs to ensure that 
they don't create needless replication or 
a loop. When DC-A sends DC-B a request 


Table 1: USN Changes OverTime 


1 Operation 

DC-A USN 

DC-B USN 

DC-C USN 1 

Initial USN 

5,000 

7,000 

2,000 

Create 5 groups on DC-A 

5,005 

7,000 

2,000 

Replicate groups to DC-B 

5,005 

7,005 

2,000 

Replicate groups to DC-C 

5,005 

7,005 

2,005 

Update a group on DC-B 

5,005 

7,006 

2,005 

Replicate update to DC-A 

5,006 

7,006 

2,005 

Replicate update to DC-C 

5,006 

7,006 

2,006 


Table 2: DC-A's High Watermark Vector (HWMV) 


Nanning Context 

Domain Controller ID 

Last USN 

Domain NC 

Domain NC 

DC-B Invocation ID 

DC-C Invocation ID 

7,006 

2,006 

| Table 3: DC-B's High Watermark Vector (HWMV) 

Naming Context 

Domain Controller ID 

Last USN 

Domain NC 

DC-A Invocation ID 

5,006 

Domain NC 

DC-C Invocation ID 

2,006 
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for replication, it includes its UTDV 
so that DC-B sends only changes that 
DC-A hasn't received (e.g., in the case of 
changes made on DC-B that were repli¬ 
cated to DC-C and in turn to DC-A). 

Table 2 shows the HWMV of DC-A 
after the changes that occurred earlier, 
as shown in Table 1. Table 3 shows the 
HWMV of DC-B after the changes that 
occurred earlier, as shown in Table 1. 

The UTDV stores the highest originat¬ 
ing update USN that the DC has received 
from every other DC replicating a given 
NC. By storing this information, DCs 
will never be sent changes that they've 
already received via another path (e.g., 
if a change occurs on DC-A, but DC-C 
receives it via DC-B). This behavior is 
often referred to as propagation damp¬ 
ening. Using the UTDV, the DC sending 
the information is able to determine 
changes it hasn't sent to the DC that's 
requesting replication, but also not send 
changes the DC has already received 
from other DCs. This behavior prevents 
an endless loop of changes being repli¬ 
cated between DCs. 

To summarize this process, each DC 
maintains an independent, forward- 
moving counter known as a USN counter. 
The USN counter on a DC is incremented 
each time that DC performs an originat¬ 
ing write (such as a create, delete, or 
update) to the directory. When DCs repli¬ 
cate, they ask for all the changes since the 
previous USN they replicated from that 
DC. This previous USN is stored in the 
HWMV so that DCs don't ask for changes 
they've already received. Inside each 
replication request, DCs also include 
their UTDV. Each DC maintains a UTDV 
for each NC replicated, and inside the 
UTDV the DC tracks the highest originat¬ 
ing update USN for which it has received 
changes, for every DC replicating the NC. 
This prevents endless replication loops 
and leads to the behavior known as prop¬ 
agation dampening, which ensures that 
updates aren't needlessly replicated. 

Tracking Object Updates 

The key to AD's replication model is 
replication metadata (i.e., information 
about the data that has replicated). 
Replication metadata is associated with 
each object in the directory, and this is 


what AD uses to determine the relative 
state of objects across multiple DCs. 
Every object has a number of fields that 
it stores on a per-attribute basis inside a 
table that constitutes that object's repli¬ 
cation metadata: 

• Attribute name 

• Change timestamp 

• Attribute version number 

• Originating DC ID (DSA GUID) 

• Originating DC USN 

If we consider a simplified version of 
the scenario outlined earlier, in which 
we complete the following tasks, we can 

Each domain 
controller maintains 
an independent, 
forward-moving 
counter known as 
an update sequence 
number counter. 

illustrate how each of these fields in the 
replication metadata changes: 

1. Create a user on DC-A. 

2. Replicate that user to DC-B. 

3. Modify an attribute of the user on DC-B. 

4. Replicate the change back to DC-A. 


When we create a user on DC-A (as in 
Step 1), the new user's replication meta¬ 
data will look similar to Table 4. In the 
interest of simplification, I've included 
only three attributes (first name, last 
name, and password); however, many 
more attributes are set when a user is 
created. 

The usnCreated attribute of the user 
is also permanently set on DC-A to 5,001. 
The usnChanged attribute is also set 
to 5,001; however, this attribute will be 
modified each time an update is made 
(originated) or received (replicated) for 
the user. After the new user replicates to 
DC-B (Step 2), the replication metadata 
on DC-B will match Table 5. 

When a change to the user's password 
(Step 3) occurs on DC-B, the metadata 
for the password attribute (unicodePwd) 
is updated, as Table 6 shows. The change 
is subsequently replicated back to DC-A, 
which updates the local metadata for the 
user, as Table 7 shows. 

Decoding Object History 

One of the nice things about replication 
metadata is that it lives with an object 
for its entire life. If you've ever been 
asked where or when an attribute was 
changed, or when an object was cre¬ 
ated, you can use replication metadata 
to find out. The data is accessible in a 
couple of difficult-to-understand for¬ 
mats as an attribute of the object, but 


Table 4: New User Replication Metadata on DC-A 
Attribute USN Version Number Timestamp 


Originating DC Originating USN 


givenName 

5,001 

1 

21-Mar-11 21:06 

DC-A DSA GUID 

5,001 

sn 

5,001 

1 

21-Mar-11 21:06 

DC-A DSA GUID 

5,001 

unicodePwd 

5,001 

1 

21-Mar-11 21:06 

DC-A DSA GUID 

5,001 

Table 5: New User Replication Metadata on DC-B 

Attribute 

USN 

Version Number 

Timestamp 

Originating DC 

Originating USN 

givenName 

7,001 

1 

21-Mar-11 21:06 

DC-A DSA GUID 

5,001 


sn 7,001 1 

unicodePwd 7,001 1 


21-Mar-11 21:06 DC-A DSA GUID 5,001 
21-Mar-11 21:06 DC-A DSA GUID 5,001 


Table 6: Updated User Replication Metadata on DC-B 
Attribute USN Version Number Timestamp 


givenName 7,001 1 

sn 7,001 1 

unicodePwd 7,002 2 


Originating DC Originating USN 


21-Mar-ll 21:06 DC-A DSA GUID 5,001 

21- Mar-11 21:06 DC-A DSA GUID 5,001 

22- Mar-11 12:06 DC-B DSA GUID 7,002 
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I T operational efficiencies have multiplied in 
recent years, thanks to technologies such as 
virtualization. One operational area where 
virtualization can enhance efficiency is man¬ 
aging ubiquitous corporate desktop and laptop 
computers—mainstays of the modern knowl¬ 
edge worker. These systems provide an essential 
interactive link to the enterprise information 
network, and also serve as local repositories for 
critical data employees use in their everyday work. 
Users interact both with traditional, locally stored, 
applications—word processing, spreadsheets, and 
email—as well as network applications, which 
may have local components or reside entirely on 
remote servers, accessed via a Web browser. 

The traditional way of administering desktops 
has been to treat them as extensions of an enter¬ 
prise's information assets, with the IT depart¬ 
ment responsible for installing and updating 
the software components desktops run locally, 
and for protecting and backing up the data they 
accumulate. Desktop-resident applications and 
data are also subject to a growing body of secu¬ 
rity threats, requiring sophisticated anti-virus 
and anti-malware software, which also must be 
installed and maintained. 

It's more difficult to back up, secure, and man¬ 
age enterprise data in desktops and laptops when 
users bring their own PCs, personal apps, and 
cloud-based resources to the platform. As local 
storage capacities increase and new interaction 
models, such as cloud services, evolve, IT manag¬ 
ers find that separating and protecting enterprise 
data becomes more challenging. 

Desktop Virtualization (DV) moves critical appli¬ 
cation software and user data from local desk¬ 
top computers into the enterprise data center, 
where it can be more cost effectively—and more 
reliably—maintained and protected. The endpoint 
then becomes a portal through which users access 
their virtual workspace. The endpoint device can 
exploit best-of-breed processor, network, and 
display technology without compromising busi¬ 
ness management objectives. Better yet, it frees 
users to access their workspace from any loca¬ 
tion, through a variety of devices, including smart 
phones and tablet computers. 

This is a double win for the enterprise. IT staffers 
can focus on keeping centrally stored applications 
and data updated, backed up, and secure. Users 
gain new mobility features, and the ability to 
access their workspaces using new devices, giving 
them the flexibility to work from any location, at 
anytime. 

Getting from where you are today, with a myriad 
of diverse desktop systems and varying end user 


requirements, to a DV infrastructure, is straight¬ 
forward, but requires some advance planning to 
ensure a successful transition. First, you need to 
understand—and articulate to management— 
the cost and administrative advantages that can 
accrue with DV. You'll also need to understand the 
four delivery models that make up DV, and the 
pros and cons of each model. Armed with that 
information, you'll be ready to assess your current 
user population, select the DV approach that best 
matches each user's current application and hard¬ 
ware needs, and begin the deployment process. 

Why You Need Desktop Virtualization 

As an IT professional, you live and breathe the 
daily complexities of end user computer adminis¬ 
tration. However, management often doesn't real¬ 
ize tradeoffs of various management approaches. 
It's up to you to enumerate these tradeoffs for 
various delivery models, ensuring that actual com¬ 
puting occurs where it makes the most sense. DV 
can enhance the security and maintainability of 
enterprise data, but exploiting high-performance 
endpoint devices, such as Intelligent PCs, can 
offload work from your virtualization infrastruc¬ 
ture, increasing VM density. Centralized manage¬ 
ment is critical to balancing these objectives. 

Deploying a desktop today requires physically 
installing an operating system (OS) image, along 
with licensed applications and user preference 
items, plus security credentials for protected 
network connectivity. Applications often have 
complex interactions and dependencies with 
desktop OS features, making them difficult to 
deploy and maintain 

Once deployed, the desktop with its OS 
and applications must be updated across the 
network—particularly challenging for mobile 
devices that rarely, if ever, reconnect to the enter¬ 
prise LAN. A steady stream of security and func¬ 
tional patches means that this is a continuous, 
often daily, process, which can be frustrated by 
network performance bottlenecks and problems 
reaching desktops across the network. The "desk¬ 
top" population also includes laptops, which 
are easily as powerful as most fixed-location 
workstations, and hence incur the same routine 
administrative effort. For both systems, updates 
and maintenance windows must be coordinated 
with users, inevitably inconveniencing some, 
which impacts productivity. 

Users often end up storing critical data on local 
computers, where the data is hard to catalog, 
backup, and secure. User computers typically also 
have data export features, such as writeable discs 
and thumb drives, that present security control 







issues for sensitive data that may be extracted 
illicitly. Users often use these same capabilities 
to install unauthorized software or inadvertently 
contract malware infections. When desktops 
break, someone must go onsite to fix them, 
transferring the user's data and applications if a 
replacement is needed, which can take hours of 
valuable technician time. 

Increasingly, users want to be productive from 
home, hotels, airports, and other remote loca¬ 
tions, accessing their needed apps and data.This 
capability is not trivial to deliver securely, and 
users often face strikingly different environments, 
as well as degraded performance, when access¬ 
ing applications remotely. 

Finally, DV gives both the enterprise and 
end user better control over hardware refresh 
cycles, which typically requires coordinated, 
organization-wide hardware deployment and 
time-consuming migration of each user's physi¬ 
cal desktop. With DV, endpoint devices can be 
replaced one at a time, based on the needs of 
either the end user or IT, without disrupting the 
user's desktop experience. 

By communicating the advantages of DV to 
management, you'll make clear how much can 
be saved by taking advantage of DV security and 
support features. Management will be better 
positioned to see how DV can level adminis¬ 
trative costs, improving productivity through 
enhanced user work flexibility. By delivering a 
fully managed, on-demand virtual desktop any¬ 
where your users work, you'll optimize knowl¬ 
edge worker capabilities while simultaneously 
reducing total expenses. 

DV Delivery Models 

DV enhances desktop image management by 
separating the OS from applications, data, and 
user preferences. Virtualization can occur at the 
application level or globally for the entire user 
desktop experience. Different delivery models 
exist that have unique advantages and disadvan¬ 
tages, depending on end user performance and 
capability requirements, but no single approach 
works for all users: You must fit the desktop 
virtualization delivery model to each employee's 
hardware, performance, and workflow. 

There are four delivery models in common use 
with desktop virtualization: 

• Application Streaming of a Virtual App. 

Applications are encapsulated as self- 
contained packages that include a subset 
of OS preference files and personaliza¬ 
tion settings. These are then delivered 
on demand over the network via HTTP or 
the Real Time Streaming Protocol (RTSP) 


in a form that can run on an endpoint 
device (e.g., an Intelligent PC). Applications 
execute on the end user hardware, exploit¬ 
ing its computational capability to reduce 
central server complex workload, without 
conflicting with other applications, while 
leaving no "footprint" on that device to be 
protected, backed up, or maintained. 

• Session-based Applications. Applications 
actually reside and execute on a central 
server complex, with applications distrib¬ 
uted among several servers as necessary. 
End users connect to running instances of 
these applications via an endpoint device 
or software client. The endpoint device 
presents each application's user interface in 
its own window, frame, or virtual desktop 
(depending upon the implementation). 

This provides a low-cost entry point for 
desktop virtualization via "bring your own 
computer" platform leverage, which lets 
you transition to DV by utilizing the users' 
existing hardware. Because only user inter¬ 
face events pass over the network, network 
traffic is minimized and predictable, ensur¬ 
ing a consistently responsive experience for 
the user. 

• Virtual Desktop Infrastructure. A cen¬ 
tral server complex maintains a complete 
traditional Windows desktop computing 
environment for each user, which commu¬ 
nicates with the endpoint device. The user 
maintains the familiar general-purpose 
computing environment to which they're 
accustomed, without, for the most part, 
realizing the environment is remote and 
not local. Desktop streaming is a form of VDI 
in which a virtual hard drive (VHD) image 
containing the desktop OS is streamed to 
the endpoint device every time the user 
logs on, and executes locally as a virtual 
machine. 

• Local Virtual Machine. The user's desktop 
(or desktops) environment is contained in 
one (or more) virtual machines that execute 
on a laptop, which periodically connects to 
the network to resynchronize. Offline users 
can still access all their apps, while still 
gaining most of the benefits of centralized 
administration. 

Each of these delivery models has advantages 
and disadvantages, but each addresses particu¬ 
lar management problems IT departments face 
with traditional desktop computing. Here are 
the advantages all four delivery models have in 
common: 


• Application is no longer depend upon user 
hardware and operating system components, 
and thus become more consistent. 

• Application developers have a smaller body of 
technologies to deal with, and can count on 

a more powerful set of basic facilities for each 
user. 

• All user data is captured and stored centrally, 
where it can be readily backed up, and secured 
using robust encryption technologies. Only 
the form of storage and management varies 
between delivery models. 

• IT controls the high capacity data extraction 
capabilities of users, and limits user abilities to 
install unauthorized software while simultane¬ 
ously reducing risks from malware. 

• IT staff deploy standardized endpoint hard¬ 
ware with capabilities matched to each user's 
work requirements. Endpoint devices need no 
post-install configuration, using only the firm¬ 
ware or software as delivered by the manufac¬ 
turer. Configuration occurs automatically once 
the new hardware connects to the network for 
the first time. 

• Because keyboard, display, peripheral, and net¬ 
work technologies are fairly mature and stable, 
hardware refresh cycles for such peripherals 
are much less frequent, on the order of five to 
ten years. This can extend the life of existing 
legacy desktop and laptop equipment, due 

to desktops now residing in the data center. 

Yet power users can still exploit the latest and 
greatest processor and networking products 
to meet their enhanced productivity needs. 

• Because all application virtualization tech¬ 
nologies are network-centric, they are readily 
accessible from any remote location, given 
appropriate bandwidth, using standard, highly 
secure encryption protocols. 

• The wide availability of broadband connectiv¬ 
ity, even over cellular networks, ensures that 
the bandwidth-friendly user interface traffic 

is efficiently transported, providing a consis¬ 
tently responsive interface. 

The key to achieving these benefits without incurring 
new administrative workload and skill requirements 
is centralized management. A single cohesive man¬ 
agement toolset spanning all delivery models you 
plan to use is better than a disjointed toolset with 
varying user interfaces and management capabilities. 

Making DV Delivery Choices 

Deciding which models to use requires first assessing 
and understanding your existing user population. 

Not all users have the same computing performance 


requirements, and more sophisticated users often 
place more importance on some features than others. 

Before you start the assessment, first prioritize 
your transition objectives. Are you primarily inter¬ 
ested in enhancing backup and security? Or are you 
seeking to reduce costs for a particular segment 
of end users? Does a particular group of advanced 
users have critical performance requirements that 
must be maintained? Is mobility a key enabler for 
any one class of knowledge workers? 

Your assessment process should begin by segment¬ 
ing users by the sets of applications they use, their 
workplace location, existing endpoint hardware, 
mobility needs, and relative job importance. For 
instance, one user segment might consist of workers 
primarily using office productivity applications at the 
HQ site, primarily for administrative tasks. Another 
segment could be middle managers who travel 
between branch offices and run line-of-business- 
specific applications. A third segment may consist of 
graphic designers requiring fast response times and 
rapid access to image libraries. 

With users segmented, you can devise a "transfor¬ 
mation" plan for each group: selecting which appli¬ 
cations, in what order, will move to DV.This plan 
should include a reference model for standardized 
endpoint hardware, quantification of each group's 
network bandwidth needs, and any high-end 
technology requirements, such as graphics, video, 
or other specialized media. If a group needs mobile 
access, your reference hardware set may include 
specific mobile devices such as laptops or tablets. 

At this point you should select a DV delivery 
model for each user segment. Here are the specific 
strengths and weaknesses of each delivery model, 
which will help you make optimal choices: 

• Application Streaming of a Virtual App. This 
model exploits local processing power where 
available, minimizing the effects of network 
latency. The application streaming model lets 
you migrate high-impact applications first, to 
reap the benefits of centralized administration 
for the highest immediate payback. However, 
legacy apps remaining on the user's computer 
must be maintained using old break/fix/patch 
paradigm until they're migrated to DV. 

• Session-based Applications. Because 
session-based applications run on central¬ 
ized infrastructure, with the endpoint device 
serving as a "window" to each application, 
you can apply more data center resources to 
higher-priority applications when necessary 
to guarantee acceptable response times. The 
technology components of this model let you 
optimize user interface transport for the avail¬ 
able network: high-speed LAN or lower-speed 
WAN. This means that the primary factor in 


performance is the available network band¬ 
width rather than the speed of the endpoint 
hardware. 

Virtual Desktop Infrastructure. VDI gives 
users a complete desktop environment with 
which they're already familiar while relocating 
that environment to data center server and stor¬ 
age resources, where the desktop OS, applica¬ 
tions, and local data can be more easily secured, 
backed up, and maintained. VDI offers persis¬ 
tent personalization, so users return to the state 
they were last in regardless of the location from 
which they access their desktop environment. 
All aspects of the user environment can be 
controlled for all applications: security, backup, 
authentication, and data storage. However, this 
model can be the most sensitive to bandwidth 
restrictions, and a large number of VDI users on 
a single local network require significant back¬ 
bone LAN bandwidth capacity. 

Local Virtual Machine. By encapsulating a 
complete desktop inside a VM running directly 
on the endpoint device, users can work offline 
using mobile computing devices—laptops 
today, tablets and smart phones in the future. 
Centralized administration keeps management 
in control of enterprise data assets. Only the 
periodic synchronization process is affected by 
available network bandwidth, which can be de¬ 
ferred until the user returns to the high-speed 
corporate LAN. Nevertheless, synchronization 
can be time consuming if not performed fre¬ 
quently enough, or using sufficient bandwidth. 


Getting to DV 

DV eases a myriad of IT administrative tasks: break/ 
fix, security, backup, and software maintenance. It 
also can improve business agility by enhancing user 
mobility and workplace flexibility: secure mobile 
access across a range of devices is almost a free 
byproduct. 

No one approach works for all users; you must fit 
the desktop virtualization delivery model to the user. 
You should expect to deploy more than one delivery 
model, and that means putting in some time plan¬ 
ning your DV transition, by prioritizing objectives, 
assessing your user population, and devising a DV 
transformation plan. 

The key to a successful DV transformation is strong 
centralized management software that supports all 
the DV deployment models you plan to use. That 
management platform (e.g., Microsoft System Center) 
will carry you through the transition, and provide you 
with streamlined DV administration going forward. 

Mel Beckman is a senior technical editor for Penton 
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providers and is currently president of Beckman 
Software Engineering, a technical consultancy spe¬ 
cializing in large-scale, high-bandwidth networks. 
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County of Santa Barbara, DuPont Displays, IBM, Loral 
Federal Systems, United Airlines, the U.S. Department 
of Agriculture, and the U.S. Department of Energy. 

Mel has presented seminars on computer program¬ 
ming and network technology throughout the United 
States, Europe, and Asia. 
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Any Application, Any User, Anywhere 


D esktop virtualization is a set of desktop and application 

delivery technologies that improve flexibility and business 
agility, increase security and reduce costs associated with 
the corporate desktop environment. Desktop virtualization includes 
multiple technologies that together, help with the delivery of end- 
user desktops, applications and data. Desktop virtualization is differ¬ 
ent from, but complemented by, server virtualization, which divides 
a single server hardware resource into multiple virtual machines, 
each one hosting a separate, server operating system. 

Citrix® XenDesktop® is a complete desktop virtualization solu¬ 
tion, which transforms Windows® desktops and applications to an 
on-demand service to any user, any device, anywhere. XenDesktop 
quickly and securely delivers any type of virtual desktop or 
Windows, web and SaaS application to all the latest PCs, laptops, 
Macs, tablets, smartphones, and thin clients - all with a high-defini- 
tion user experience. Within XenDesktop, best-of-breed technolo¬ 
gies are combined together to provide a comprehensive solution to 
any end-point: Microsoft App-V for packaging and isolation and 
Citrix XenApp™ for on-demand application delivery. 

Selecting the right device for a desktop virtualization implementa¬ 
tion will vary depending on the user’s role and requirements. For 
example, thin clients are great devices for office workers using some 
of the hosted virtual desktop solutions thanks to their low cost and 
power requirements, but may not be able to meet the needs of more 
performance intensive or mobile users. For these users, an intelligent 
PC is the answer. Intelligent PCs support all the desktop virtualiza¬ 
tion models and provide the best user experience and mobility. 

XenDesktop offers a broad range of desktop virtualization solutions 
to address the varying performance and personalization require¬ 
ments of all types of workers. Some require simplicity and standard¬ 
ization while others need high performance or a fully personalized 
desktop. XenDesktop can meet all these requirements in a single 
solution with Citrix FlexCast™ delivery technology. With FlexCast, 
IT can deliver every type of virtual desktop, hosted or local, physi¬ 
cal or virtual—each specifically tailored to meet the performance, 
security and flexibility requirements of each individual user. 

XenDesktop combines the unique capabilities of the high-perfor¬ 
mance, device-independent Citrix FlexCast delivery technology 
with best-of-breed Microsoft® Hyper-V™ virtualization and Intel’s 
powerful virtualization-optimized client and server processors to 
deliver on-demand virtual desktop and applications anywhere your 
users work. 

While FlexCast technology delivers XenDesktop customers desktop 
and application delivery flexibility, Citrix Receiver™ provides 
customers the flexibility to work from anywhere using any device 
they’d like. Receiver is a universal client that lets users access their 
virtual applications and desktops using any PC, Mac, thin client, 
smart phone, or tablet. For advanced graphics and high resolu¬ 
tion video, Citrix HDX™ brings high definition imaging capabili¬ 
ties to any device, over any network, while minimizing bandwidth 
consumption. 

Guiding you through the journey from legacy desktop management 
to virtualized desktop delivery is Citrix’ Desktop Transformation 
Model, a proven, staged process for moving users to XenDesktop’s 
streamlined, on-demand, service-oriented facilities. The Desktop 
Transformation Model walks you through assessing and segmenting 
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your user population, defining reference device specifications, and 
selecting the best FlexCast delivery technology for each user and 
application. 

How XenDesktop Works 

XenDesktop enables IT to separate the device, OS, applications 
and user personalization and maintain single master images of each. 
Instead of juggling thousands of static desktop images, IT can man¬ 
age and update the OS and apps once, from one location. Imagine 
being able to centrally upgrade the entire enterprise to Windows 7 
in a weekend, instead of months. Single-instance management dra¬ 
matically reduces on-going patch and upgrade maintenance efforts, 
and cuts data center storage costs by up to 90 percent by eliminat¬ 
ing redundant copies. 

XenDesktop can also dramatically improve endpoint security 
by eliminating the need for data to reside on the users’ devices. 
Centralized data, encrypted delivery, a hardened SSL VPN appli¬ 
ance and multi-factor authentication further ensure that only 
authorized users connect to their desktops, intellectual property is 
protected, and regulatory compliance requirements are met. 

On the user side, if a user’s device breaks, simply deliver a new 
device. The user then resumes work where he or she left off before 
the breakage. Nothing could be simpler. 

The user is online again instantly, with minimal work interruption 
and no time spent by technical staff transferring their personal con¬ 
tent and preferences. In fact, if the user’s work situation means they 
can’t wait for replacement hardware, they can simply log in from 
any available device and find their running applications and desktop 
environment just the way they left them. 

XenDesktop is designed to streamline staged deployment, so you 
avoid the tribulations of “fork lift” upgrades. You start by install¬ 
ing XenDesktop on your existing Hyper-V infrastructure that is 
managed with System Center. You need not purchase new hardware 
or management tools to run XenDesktop’s data center components, 
which can be entirely virtualized. Microsoft Hyper-V is uniquely 
tailored to work with Windows operating systems of all flavors, and 
gives you a single, cohesive management infrastructure encompass¬ 
ing desktop and server administration. 

Intelligent clients powered by Intel® Core™ vPro ™ processors’ opti¬ 
mized CPU and display technologies enable users to take advantage 
of the broad FlexCast delivery technologies. Additionally, by turning 
on the multi-media redirection capabilities of XenDesktop, you can 
take greater advantage of an intelligent client’s CPU power and 
video capabilities to offload the processing from the server, thus 
increasing the capabilities of the server to support additional virtual 
desktops. 

To learn more about Citrix XenDesktop, visit www.citrix.com/ 
XenDesktop . For more information about how Citrix is working 
with Intel and Microsoft, visit www.citrix.com/Intel and 
www.citrixandmicrosoft.com , respectively. 
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Table 7: Updated User Replication Metadata on DC-A 


Attribute USN Version Number Timestamp Originating DC Originating USN 


givenName 

sn 

unicodePwd 

5,001 1 

5,001 1 

5,002 2 


21-Mar-11 21:06 

21- Mar-11 21:06 

22- Mar-11 12:06 

DC-A DSA GUID 

DC-A DSA GUID 

DC-B DSA GUID 

5,001 

5,001 

7,002 

Loc.USN 

Originating DSA 

Org.USN 

Org.Time/Date 

Ver 

Attribute 

8194 

Site-A\DC-A 

8194 

2008-03-24 21:27:24 

1 

objectClass 

8194 

Site-A\DC-A 

8194 

2008-03-24 21:27:24 

1 

cn 

8194 

Site-A\DC-A 

8194 

2008-03-24 21:27:24 

1 

description 

12727 

Site-B\DC-B 

12727 

2010-03-22 18:53:46 

2 

givenName 


Figure 2: User object replication metadata 


fortunately Repadmin, which is included 
in Windows Server 2008 and later (or in 
the Support Tools for previous versions 
of Windows), makes it easy to decode 
the data. 

To review the replication metadata 
of an object, you must provide the DC 
to request the metadata from and the 
distinguished name (DN) of the object in 
question. You can use the following com¬ 
mand to review the metadata for a user: 

'User A' on DC-A: repadmin 
/showobjmeta "DC-A" "CN=User 
A,CN=Users,DC=contoso,DC=com" 

You'll see output similar to that in 
Figure 2. 

From this output, we can see that the 
user was created on DC-A on March 24, 
2008. This is evident based on the origi¬ 
nating timestamp and originating DSA 
for the objectClass attribute, which is 
version 1. The objectClass attribute can 
change in some scenarios, in which case 
you'd need to look elsewhere (such as the 
metadata for the objectGuid attribute). 
On March 22, 2010, the user's givenName 
(first name) was modified on DC-B, as 
evidenced by the same originating DSA 
and originating timestamp columns. You 
can determine the number of changes 
that have been made to an attribute 
based on the version number. 

Resolving Conflicts 

When it's possible to make changes to the 
same object on multiple DCs at the same 
time, conflicts can occasionally occur. 
The most common types of conflicts are 
objects that are created in the same place 
with the same name (e.g., two "John Doe" 


accounts in the same organizational 
unit— OU) and changes to the same attri¬ 
bute in between replication cycles. 

In the case of whole object conflicts, 
the problem is that it isn't permissible 
to have two objects with the same rela¬ 
tive distinguished name (RDN) within a 
given container. If you created the user 
"John Doe" in AD, by default that user's 
RDN would be ’CN=John Doe’. If another 

When changes 
occur to the same 
attribute within a 
replication cycle, 
Active Directory 
must decide which 
update to keep. 

administrator created an account for 
John Doe on a different DC in the same 
container before your user replicated, the 
change would be permitted—however, 
during replication AD would need to 
handle the duplicate RDNs. AD does this 
by keeping the RDN of the object with 
the most recent timestamp and renam¬ 
ing the older object(s) such that their 
GUID is appended (e.g., the older John 
Doe would have an RDN of ’CN=John 
Doe\0ACNF:<ObjectGUID>’). In the case 
in which the conflict is caused by renam¬ 
ing an object rather than creating a new 
object, the version number of the RDN 
attribute (typically CN) is considered 
first, and the highest version number 
wins. 


When changes occur to the same attri¬ 
bute within a replication cycle (e.g., per¬ 
haps a user's description is changed on 
two DCs by two administrators at about 
the same time), AD must decide which 
update to keep. AD first looks at the 
version number of the attribute in the 
replication metadata. The change with 
the highest version number wins. If the 
version numbers are equal, AD then looks 
at the timestamps and picks the last write. 
In the unlikely event that the timestamps 
are identical, AD looks at the originating 
server GUIDs and picks the change from 
the mathematically largest originating 
server GUID. 

The final scenario is the case in which 
an OU or container is deleted, but before 
that deletion replicates to other DCs, 
another administrator creates a child 
object inside that OU or container. A simple 
example is when you're closing an office, 
perhaps the Chicago office, so you delete 
the OU for Chicago. Meanwhile, an admin¬ 
istrator in San Francisco moves a new 
user to the Chicago OU. When the dele¬ 
tion of the Chicago OU replicates to San 
Francisco, AD won't delete the user that 
was moved. Instead, AD moves the user 
to the LostAndFound container at the root 
of the domain (or in the case of the con¬ 
figuration NC, the LostAndFoundConfig 
container). 

Complex Challenges 

AD implemented one of the first multi¬ 
master LDAP directory replication mod¬ 
els. Multi-master replication introduces 
some complex challenges, such as how 
to ensure that replication doesn't create 
loops or endless network traffic and how 
to resolve conflicts. Every DC stores several 
tables to keep track of replication state and 
to ensure consistency. In addition, each 
object stores replication metadata, which 
serves as a history of that object. ^ 
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A s we move closer to a paperless world, with almost all of our data stored and accessed 
electronically, it might seem strange to write about new print features in Windows Server 
2008 R2 and Windows 7—like I might as well write an article about why the Internet will 
be a big deal or whether slates will catch on. However, if you ask the person who sits next 
to the printer in your office whether we ; re really printing less, hell probably tell you, "No!" 
(as he gasps for clean air in his ozone-swamped work area). 

Considering the mobility of today's workforce and the myriad of devices employees are using, it's 
more important than ever that print options keep pace. In addition, users and organizations must 
enable the necessary features for a smooth and consistent print experience. Server 2008 R2 and 
Windows 7 offer several features that enhance the overall print experience. 


A mobile 
workforce 
generates new 
challenges 


The User Experience 

Several client features help make the end-user experience more smooth. Two of the most important 
improvements, both of which focus on mobile users and accessing desktops from many different loca¬ 
tions, include remote printing and default printer selection, which I discuss in the following sections. 

Printing to a Windows 7 remote desktop. Printing from a remote session over RDP was always 
painful with traditional Terminal Services. On each terminal server, you needed to install all the print 
drivers that the connecting clients might use, so that users' local printers could be redirected to the 
remote session and content could be rendered correctly on the terminal server and then sent to the 
client for printing on the print device. All too often, printer drivers were missing or were the wrong 
version, which resulted in printing not working (at best—or at worse, a small Peruvian rainforest being 
destroyed as page after page of random characters printed). 

Server 2008 addresses this problem with Terminal Services Easy Print. This new driverless printing 
model leverages the Microsoft XML Paper Specification (XPS) format, which works similarly to PDF 
files and contains both the data and formatting. With TS Easy Print, when a print operation occurs, 
rather than the terminal server rendering to a printer-specific format, a generic XPS document is 
generated. This document is then sent over the RDP connection to the client device, which lets the 
client device generate the printer-specific rendering using the locally installed driver from the received 
XPS file. If a user in the remote session looks at printer properties, the RDP connection captures this 
request and displays the user's local printer properties, then sends any format options back to the 
remote session. Therefore, no functionality of the local printer driver formatting is lost even though 
no actual driver exists on the terminal server. 

Although driverless printing was a huge improvement for Terminal Services-based sessions, 
Windows Vista didn't include this functionality. With Microsoft's introduction of Virtual Desktop 
Infrastructure (VDI), and with remote sessions being increasingly used to connect to virtualized client 
OSs, having a driverless printing solution to connect to client OSs over RDP is a huge benefit. Windows 
7 Enterprise and Windows 7 Ultimate support Remote Desktop Easy Print. (Terminal Services was 
renamed to Remote Desktop Services—RDS—in Server 2008 R2, hence the name Remote Desktop 
Easy Print rather than Terminal Services Easy Print.) 
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Figure 1: Viewing printer preferences 

The Easy Print functionality no lon¬ 
ger relies on the .NET Framework being 
installed on the client device. Instead, the 
XPS-to-GDI (printer format) conversion is 
now performed by the OS directly. With the 
Easy Print functionality, if you connect to a 
remote Windows 7 Enterprise or Ultimate 
OS instance and enable printer redirection, 
you'll see the default printer and all the 
available printers. If you check the Model 
setting on the default printer, you'll see 
that it's using Remote Desktop Easy Print, 
as Figure 1 shows. If you select Printing 
Preferences from the context menu, you'll 
see the advanced properties for your local 
OS. When the advanced properties of a 
printer are selected, the dialog box to show 
these properties is actually redirected to 
the client that has the full driver for the 
printer, because the advanced properties 
are driver-specific. A dialog box appears to 
advise you that the properties have been 
redirected, as Figure 2 shows. Because Easy 
Print is a feature of RDP 6.1, Vista SP1 and 
Windows XP SP3 clients that have Remote 
Desktop Connection Client 6.1 or later and 
the .NET Framework installed can take 
advantage of Easy Print when connecting 
to a Windows 7 Enterprise or Ultimate OS 
over RDP. 

As you can see in Figure 2, even though 
the driver isn't available on the remote ses¬ 
sion, you can still see the advanced settings 
by transparently launching the properties 
locally on the client and then passing back 
to the remote session any selections and for¬ 
matting changes. The Printing Preferences 
dialog box usually covers up the redirection 
notice dialog box—however, I moved it so 
you can see that it actually launches on 
top of the remote session window because 
it runs on your local client OS using your 
locally installed driver. 
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Determining which printer to use. 

Easy Print is a fantastic technology for 
exposing local printers to remote con¬ 
nections without worrying about drivers. 
The next challenge for our ever-mobile 
workforce is to determine which printer 
to use. I take my laptop between several 
office buildings, as well as to my house. 
Numerous times, I've just hit Print from 
home rather than printing to a specific 
printer—and subsequently sent a personal 
document to my work printer by mistake. 
Then, I've had to get up extra early the next 
day to make sure I retrieved my document 
before anyone else got to the office. What 
we need is a default printer selection based 
on location. 

Several corporate solutions exist for 
this problem, and the sophistication of 
these solutions has improved greatly in the 
past few years. Although this section deals 


with client functionality, we also need to 
discuss server components because the 
server capabilities are important when we 
consider our options. 

Initial attempts at automated printer 
assignment were via logon scripts that 
checked machine attributes, such as IP 
addresses, then added specific printers 
that were maintained through the scripts, 
which were very cumbersome to manage 
in large environments. The first real break¬ 
through came with Windows Server 2003 
R2's introduction of the Print Management 
Console (PMC). In addition to provid¬ 
ing a centralized management point for 
Windows print servers and automated 
discovery of printers, the PMC also allowed 
for deployment of printers using a combi¬ 
nation of listing printers in Group Policy 
Objects (GPOs) and an executable file 
called PushPrinterConnections.exe. This 
executable file was added to the user 
logon or computer startup process, and it 
checked the GPOs for printers and config¬ 
ured them on the machine. Because GPOs 
can be linked at the domain, organizational 
unit (OU), and site levels, the solution 
provided flexibility in assigning printers. 
The PushPrinterConnections.exe file was 
required because there was no Client Side 
Extension (CSE) for the printer configura¬ 
tion parts of the GPO. 

Server 2008 takes this printer deploy¬ 
ment capability to the next level, with 



Figure 2: Showing printer property redirection with Easy Print 
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Figure 3: Using Group Policy Preferences to add a new printer 


CSEs for the PMC printer deploy¬ 
ment. CSEs remove the need to use 
PushPrinterConnections.exe. Setting vari¬ 
ous GPOs at site levels enables a fluid 
default printer transition as users move 
between locations, with the correct default 
printer configured automatically. 

The PMC's Deployed Printers capabil¬ 
ity is useful; however, Server 2008's Group 
Policy Preferences introduced an even 
better way to assign printers to users in a 
flexible way that for many organizations 
removes the use of Deployed Printers 
through the PMC. Unlike Group Policies 
that configure a client setting that can't 
be modified, Group Policy Preferences 
allow machine configurations that can 
be modified by end users. This capabil¬ 
ity lets you create an initial configuration 
that isn't set in stone. With Group Policy 
Preferences, we can periodically reimple¬ 
ment preference settings to overwrite any 
changes a user might have made, or we can 
set preference settings initially and forget 
about them, allowing users to do whatever 
they want. 

To use Group Policy Preferences for 
printers on a user level, open a GPO 
and navigate to \User Configuration 
Preferences\Control Panel Settings\ 
Printers. (You can also configure this set¬ 
ting at a computer level if desired.) To add 
a new printer, right-click and select New, 
then select the type of printer. As Figure 3 
shows, the type of printer can be shared, 
TCP/IP, or local. 

If you select Shared Printer, you can 
select a printer from Active Directory 


(AD)—assuming you're publishing printers 
in AD, which is easy with the PMC. You can 
also indicate whether you want the printer 
to be the default and whether you want it 
to be the default only if no local printer is 
present, as Figure 4 shows. 


Figure 4: Configuring a shared printer 


Because Group Policy Preferences are 
part of GPOs, we can link them at site, OU, 
and domain levels. If we want to deploy 
based on location, we can link the GPO at 
the site level; when clients update their pol¬ 
icies, they'll get printers assigned based on 
their current site. However, we can go a step 
further with Group Policy Preferences. 

The Shared Printer Properties General 
tab lets you select a shared printer and 
default printer options. The Common tab, 
as the name suggests, is common to all 
Group Policy Preferences configurations 
but opens a whole other level of target¬ 
ing through the Group Policy Preferences 
item-level targeting capabilities. Select a 
new printer's Common tab in Group Policy 
Preferences, then select the Item-level tar¬ 
geting option and click the Targeting button 
to open a new Targeting Editor that lets you 
create very granular rules for when this 
preference is applied, as Figure 5 shows. 

Best of all, this targeting applies to a 
specific preference setting (i.e., just one 
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Figure 6: Setting default printers for multiple networks 


printer, not the entire GPO), which lets 
you define multiple printers in one GPO, 
each targeted differently. Looking at the 
targeting criteria in Figure 5, you can see 
just how flexible printer targeting can be. 
We can deploy printers based on IP address 
range, which is essentially the same as AD 
site but might let us be more specific than 
using our AD site configurations. We can 
also set definitions based on group mem¬ 
bership, which is a very messy process with 
normal GPOs. We can target based on the 
time of day, type of computer, or network 
connection type—we have a lot of flexibil¬ 
ity. If you haven't yet played with Group 
Policy Preferences, I suggest that you take 
a look. If you have a lot of custom scripts, 
you should be able to use Group Policy 
Preferences to get rid of most of them. 

Setting the default printer within a 
corporate environment is quite simple 
with some up-front administrative design 
and configuration. But what if you connect 
to multiple personal networks, or if users 
want to manage their own default printers 
based on different locations? Windows 7 
introduces a new feature, called location- 
aware printing, that takes advantage of 
the network location awareness services 
introduced in Server 2008 and Vista. Based 
on various network characteristics (e.g., 
wireless networks, availability of domain 
controllers—DCs), we can identify the 
various networks that can be used for 
Group Policy application, firewall settings, 
and more in Server 2008 and Vista. In 


Windows 7, we can use the same identi¬ 
fied networks to set different default print¬ 
ers, through location-aware printing. 

Configuring location-aware printing 
is very simple. Select Devices and Printers 
from the Start menu, then click the Manage 
default printers action to open the dialog 
box that Figure 6 shows. You can then 
select the option to always use the same 
default printer, which essentially disables 
location-aware printing, or you can select 
the option to change the default printer, in 
which case you can set a default printer for 
each known network. When you connect 
to a new unknown network, the current 
default printer is automatically set as the 
default for that network. You can change 
this setting, however. 

If you're connected to multiple net¬ 
works at the same time (e.g., wired and 
wireless), then the default printer for a 
wired connection to a managed network 
takes precedence over a wireless network 
that a user saved. Furthermore, a saved 
wireless network takes precedence over 
an unmanaged wired network. If you can't 
seem to find the Manage default printers 
action on your desktop or server, that's 


because it's available only on mobile com¬ 
puters (i.e., laptops) running Windows 7 
Home Premium or better but not on any 
Windows Server editions. 

The Administrator Experience 

Because printing is a user-initiated pro¬ 
cess, it shouldn't surprise you that two 
of the coolest Windows 7 printing fea¬ 
tures (i.e., Easy Print and the Group Policy 
Preferences location-aware printing) are so 
user centric. Server 2008 R2 and Windows 
7 also offer administration improvements 
from a management perspective, as well as 
performance and reliability enhancements 
that reduce the amount of support neces¬ 
sary from the IT team. 

The most obvious change in Server 
2008 R2 regarding print services is that 
printing is now part of the Print and 
Document Services role. Within this role, 
the new Distributed Scan Server role ser¬ 
vice enables centralized management and 
monitoring of Web Services on Devices 
(WSD)-enabled network scanners in the 
same way that printers can be managed by 
print services. This article focuses on print¬ 
ing rather than scanning, so I'll leave the 
Distributed Scan Server capability for future 
discussion. However, the Distributed Scan 
Server role will definitely help if you have a 
lot of scanners in your environment. 

Printer driver isolation. I think the 
biggest performance and supportability 
change in Server 2008 R2 for printing is 
the new printer driver isolation capability, 
which is also known as sandboxing. Prior 
to Server 2008 R2, the print driver compo¬ 
nents were loaded in the same process as 
the print spooler. It was common for print 
drivers to fail, which would then cause the 
entire print spooler to fail, thereby shutting 
down the entire print service for all users 
and printers on the server. Printer driver 
isolation allows the print driver compo¬ 
nents to run in a separate process from 
the actual print spooler, which means a 
faulty print driver no longer brings down 



Figure 7: Configuring the isolation for a print driver 
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Figure 9: Driver and printer custom filter options 


the spooler and affects every other printer 
on the system. We can go one step further 
by configuring particular print drivers to 
run in their own isolated process, which is 
great if we have new or known buggy driv¬ 
ers. These drivers, if running in their own 
process, can stop their own printers from 
working—but not other printers. 

You configure printer driver isolation 
on the driver rather than the printer. Start 
the PMC, navigate to the Print Servers - 
<server> - Drivers node, right-click the 
driver, and set the desired isolation, as 
Figure 7 shows. You can set isolation to one 
of several values, including: 

• None—Loads the print driver 
components into the print spooler 
process, which emulates pre-Server 
2008 R2 behavior. 

• Shared—Loads multiple drivers into 
one process, which protects the spooler 
from the drivers. One bad driver in the 
shared process will affect all the others. 
Use the Shared value for known, well¬ 
behaving print drivers. 

• Isolated—Loads the driver into its own 
process space, protecting the spooler 
and other drivers from a failure of the 
isolated driver. Use the Isolated value 
for unknown or problem drivers. 

Although printer driver isolation is the 
main reliability feature in Server 2008 
R2 and Windows 7, other performance 
improvements include spooler changes 
on both the client and server to speed 
up logon times and to reduce server-side 
lag when dealing with notifications. A 


reduction in the frequency of certain types 
of print notifications makes the spooler 
more responsive and performant. 

Administration help. The PMC is the 
first point of contact for print management. 
Server 2008 R2 and Windows 7 provide 
two main areas of improvement in the 
PMC, beyond the UI enhancements, to 
give more information in the Printers and 
Drivers view. 

The first new piece of functionality is 
the ability to set default permissions that 
automatically apply to any new print queue 
created on the server. This functional¬ 
ity removes the need to manually repeat 
permission application for every new print 
queue that you add to a server. To set the 
default security that you want to apply to 
new print queues, open the print server's 
properties and select the Security 
tab, as Figure 8 shows. Note that 
these changes don't apply to 
existing print queues. 

As Figure 8 shows, you can 
also assign Manage Printers, 
Manage Documents, and 
Manage Server rights to users. 
Users with these permissions 
automatically become delegated 
administrators for the print 
server. Alternatively, you can give 
users a subset of permissions— 
whatever best suits your organi¬ 
zation's requirements. 

The other major addition is 
the ability to create filter views 
within the PMC based on printer 


and driver information. This powerful fea¬ 
ture lets administrators create multiple 
views through the PMC's Custom Filters 
node to tap into a huge number of printer 
and driver attributes. Items such as number 
of jobs in the queue, status, and location can 
be used to create views that let administra¬ 
tors quickly see information about devices 
for various groups and locations (e.g., 
devices in a certain state or above a certain 
number of items queued). Figure 9 shows 
filter definition options for both printer and 
driver filters. You can also see the capabil¬ 
ity to select multiple fields for each filter, 
including conditions and values on which 
each condition will operate. 

Trouble-Free Printing 

Although it's easy to dismiss the impor¬ 
tance of printing, this function is still criti¬ 
cally important to organizations. Server 
2008 R2 and Windows 7 provide new 
features that help print functionality keep 
up with a mobile workforce, including 
the variety of ways that users connect to 
services and access printing. Even as orga¬ 
nizations' printing needs evolve, printing 
should be a seamless process. ^ 
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Figure 8: Setting the default security to apply to 
new print queues 
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P enton Media, the company that owns Windows IT Pro, recently completed an upgrade 
to Microsoft Exchange Server 2010, moving from Exchange 2007. After the migration was 
complete, I had a chat with the two members of the company's IT team most responsible 
for handling the transition. Senior systems architect Brent Mammen has been with the 
company for just over four years and was involved in the merger of Prism and Penton 
around the time he was hired. Part of that merger was upgrading to Exchange 2007 while 
converting half of the company from Lotus Notes to Exchange. Sean Cox joined Penton a little over a 
year ago, but he's been working with Exchange Server since the days of Exchange 5.5. Although his tide is 
Exchange administrator, he also works with storage, VMware, and other systems, as you might expect. 

Penton has 20 offices around the United States, as well as one in the UK, one in Canada, and one in 
Hong Kong. Brent and Sean are based in Overland Park, Kansas. In our discussion, we talk about why 
the company chose to move from Exchange 2007 to Exchange 2010, how the IT department prepared 
for and managed the transition, and how they implemented the new features of Exchange 2010. 

BKW: Describe the Exchange Server environment we're talking about: how many mailboxes; how 
many servers; how everything is distributed, and so forth. 

Brent: We're kind of unique since we're a publishing company, so we have a lot of different 
namespaces out there. I believe we've got somewhere around 2 terabytes of email on two mailbox 
servers—which doesn't really sound like a lot, but we're also accepting email for close to 200 email 
domains. That's a lot of management. I believe we have around 2,300 mailboxes on our servers. 

Sean: I'd say 40 percent, 45 percent of those, are resource type—not tied to a specific, physical user. 
They're out for whatever purposes people need, global mailboxes that multiple people have access to. 

Brent: Our employee base is around 1,200 employees, but we actually have 6,500 unique email 
addresses on our system. We filter our email through Microsoft Forefront Online Protection. So far, 
we've been pretty happy with that. We block on average 400,000 messages classified as spam every 
day. Only about 11 percent of the email filtered is actually delivered to our Exchange servers. Our 
current Exchange 2010 environment consists of two Mailbox servers that also host the CAS and the 
Hub role, and then two Edge servers, two UM servers, and one DR [disaster recovery] Mailbox server. 
So, basically seven servers total. 

Sean: And there's a UM server that's going to be going out to our DR location in Cleveland. Those 
two servers—the Mailbox/CAS/Hub and the UM in Cleveland—are physical boxes. The two Mailbox/ 
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CAS/Hub servers here locally in Overland 
Park are physical. The two Edge servers 
are virtual. 

Brent: That probably rolls into why did we 
the upgrade. Our DR site is more of a build 
out because we've had the opportunity 
since we've moved to Exchange 2010. Back 
when we were on Exchange 2007, we were 
running approximately 10 servers. At the 
time that we did the upgrade, the company 
was financially challenged, so there wasn't 
any money for new servers. Part of the sell¬ 
ing point on this was being able to drop the 
number of servers we had and then repur¬ 
pose those for DR functionality. That, along 
with the fact that we had maintenance on 
our Exchange servers, so the upgrade to 
Exchange 2010 was covered. Those are 
some pretty big selling points. Plus we 
were able to drop our disk storage to using 
slower drives, less expensive drive space, 
which we already had, and repurpose the 
faster drive space for other needs. 

Sean: We're running on SATA disks on both 
the Mailbox servers—actually all three, the 
Cleveland DR and the two primary serv¬ 
ers here locally. They're running on EMC 
SANs, SATA2 drives. 

Brent: And that's RAID 5, where before we 
were actually using RAID 10, so we were 
using more disks and more expensive 
disks. 


Brent: It's interesting to note that we don't 
have maintenance on Outlook, so some 
of the benefits that clients would see from 
the back-end upgrade aren't there until 
we're able to buy the licenses to upgrade 
to Outlook 2010. 

BKW: So by "maintenance,'' are you talking 
about a contract like Software Assurance? 

Brent: Right. We had a premier agreement 
with Microsoft for most of their product 
suite, and when the company was in finan¬ 
cial difficulty there for a while, we were 
forced to drop that. But the upgrade was 
still a part of that agreement. We owned the 
upgrade to [Exchange 2010] and it made 
sense to go ahead and proceed with it. 

BKW: You were able to use fewer servers, 
repurpose disks to other tasks, and the 
upgrade to Exchange Server 2010 itself was 
covered under the agreement. 

Brent: Right. And even though Exchange 
2010 is different from a management 
perspective, it's not a lot different than 
Exchange 2007. Sean and I looked at it, 
and I guess the DR piece—going from CCR 
[cluster continuous replication] clusters to 
DAGs, database availability groups—was 
a lot different for us. But the day-to-day 
management—so, for our Help desk, and 
the people managing our Exchange system 
on the front end—it wasn't a big change. 



BKW: Howwas the actual 
migration staged? 


Sean: Yes, those were all Fibre Channel 
disks, what was on Exchange 2007. Those 
are getting repurposed to whatever else we 
might need for faster disks. 


Sean: The biggest reason on the back end 
to make the upgrade, at least initially, 
would be the DAG. The fact that databases 
moved from server-based to organization- 
based, so they weren't tied to specific 
servers. The benefits of DAGs 
would be one of the biggest 
reasons we decided to do the 
upgrade when we did, so we 
have that availability. That 
enhancement is pretty nice in 
Exchange 2010. 


Brent Mammen, senior systems architect (I), and Sean Cox, Exchange administrator (r), of Penton Media IT. 


Sean: Moving the 
offices one at a time 
seemed the best way 
to do it. 


Brent: I think we might have started with 
you guys. We did Overland Park, and then 
we started with your offices. Our plans were 
changed slightly as we got into it. Service 
Pack 1 for Exchange had just been released 
when we were starting to migrate mailboxes, 
so the decision was made to go ahead and 
apply Service Pack 1 for Exchange. Well, 
an issue that arose with Service Pack 1 was 
ActiveSync policy support had changed. 
I think we have a little over a hundred 
Android devices in our organization. Some 
of those Android devices weren't able 
to handle those new ActiveSync policies, 
depending on the version of ActiveSync 
client that they had. What we ended up 
doing is breaking the people out that had 
the Androids and doing those separately 
as we went. So we pulled those out of each 
group, and handled those separately. We 
had to actually remove the ActiveSync 
policies from a lot of Android devices to get 
them to sync with Exchange. 

Sean: The removal of Android devices, 
doing them separately in each office, was 
based on trying to do more communication 
to those individuals. We would let you know 
that this might be an issue after the upgrade; 
if it is, please let us know and we'll address 
and resolve whatever issues that you have. 

Brent: Also, we set up what we called the 
Exchange Migration Hotline. So we had 
a phone number that people could call, 
internally and externally, during the migra¬ 
tion, as they were being moved, if they had 
a problem. That phone line went to both 
Sean and I. 

Sean: The email address that those com¬ 
munications were sent out under, both 
Brent and I had access to as well. So you 
had two lines of communication to us. We 
did it that way because we were the most 
familiar with what was going on, instead 
of trying to flood the Help desk with calls. 
We decided to take that on individually and 
deal with any issues that arose—kind of cut 
out the middle man. 

Brent: Right, that took some pressure 
off the Help desk. I mean, they still did 
receive calls, but then they transferred 
those calls to the Exchange Hotline. 
Sometimes we were migrating accounts 
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at night, and if people had an issue, they 
could still call the phone number and 
with mobility, could reach us on our cell 
phones. 

BKW: I remember that email right before 
the move. It mentioned letting you know if 
you were using an Android device. 

Brent: They talk about Android fragmenta¬ 
tion, and it does exist because you have dif¬ 
ferent vendors with different email clients. 
It's not like the iPhone where you have one 
email client. The different implementations 
didn't support certain ActiveSync policies 
that were introduced with Exchange 2010 
Service Pack 1. We didn't really know which 
clients would work and which wouldn't. 
We had some of them narrowed down, 
but if they hadn't done an update on their 
device, it still might not work. Obviously, 
newer phones tended to be less problem¬ 
atic, newer Android devices. The first way 
we tackled it was to make sure that every¬ 
one was on the latest version of the OS for 
their device. 

Sean: We did weed out some of the initial 
issues, or found out what some of those 
would be, just by migrating IT in general. 
IT's always a good test group because, well, 
you work with them, you can let them know 
what's going on. If something goes wrong, 
they're not really going to complain too 
loudly to you because they kind of expect 
issues, being in the industry—nothing 
ever works perfectly the first time out. We 
weeded out and found out about certain 
issues with the Androids before we ever 
started rolling this out to any of the regular 
users in the offices. 

BKW: Do you use a variety of smartphones 
in IT? 

Sean: Yes, we have Androids, different 
flavors of Androids, iPhones, BlackBerrys. 
So it was a pretty wide range of devices. 
We were able to find out if they'd be prob¬ 
lematic or not before we ever touched the 
regular user base. 

Brent: I think that being a media company 
lends itself to allowing people to be more 
creative, more flexible. So the company 
has allowed people to choose pretty much 
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any devices they want. I think that's great. It 
does present challenges for us in support¬ 
ing those devices, but I think it's good for 
the company. 

Sean: But even those challenges are always 
a learning experience, especially when you 
go out to the larger user base, in different 
offices, with different devices. We kind of 
get more of a handle about what could 
come up because of the openness of our 
IT department. 

BKW: This is the big trend, allowing 
employees to choose the devices they 
use. It can certainly be a struggle for IT 
departments. 

Brent: Yes, it is. More than half of our 
employee population has devices attached 
to Exchange. We have more than 700 
devices on our Exchange system. Although, 
looking at it now, it wasn't as problematic 
as I thought it might be. It was actu¬ 
ally pretty smooth. We had a hiccup with 
our BlackBerry Enterprise Server and our 
BlackBerry devices, and I believe it turned 
out to be a patch that we had to apply. 

Sean: Initially when Service Pack 1 came 
out, I had seen that BlackBerry fully sup¬ 
ported it. Then we started having issues 
with the BlackBerrys, and then I found 
out that BlackBerry said they only partly 
support Exchange 2010 Service Pack 1. 
So I went from seeing full support to part 
support. They did at the time end up hav¬ 
ing a patch, an update actually, for the 
BlackBerry Enterprise Servers to resolve 
the issues. 

BKW: You mentioned before about using 
this upgrade to consolidate the number of 
servers the system is deployed on. How did 
you run the actual move from the Exchange 
2007 servers to the Exchange 2010 servers 
on the back end? 

Sean: The process itself, I think, started 
from the beginning, in a lot of the reading 
that we did. Microsoft would have recom¬ 
mendations on combining the roles into 
actual physical servers. Before, on Exchange 
2007, we had Mailbox servers separate in a 
CCR cluster. We had two Mailbox servers, 
and they were clustered together with two 
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other servers. Then, Hub and CAS were on 
separate servers. Part of the migration was 
doing a P2V on those Hub/CAS servers to 
free up some actual physical hardware. 

So for the course of the migration, all 
of the roles except for the Mailbox roles 
were virtual. Then, as we reallocated the 
physical servers for Exchange 2010, we 
started installing Exchange, like we said, 
the CAS/Hub/Mailbox on one because the 
DAG allowed us to install roles on top of 
the Mailbox server role and still have the 
redundancy with the DAG. In 2007, if we 
clustered, the Mailbox server role was the 
only one that could be on those boxes. 

Brent- I think I mentioned that we were 
short on physical hardware, so that's one 
of the reasons that we did this. But we 
actually needed some physical hardware in 
order to start the migration. We virtualized 
some of the boxes, and we took the existing 
hardware that we had just moved the OS 
off of to a virtual machine, and used it for 
our mailbox resources. We built out a 2010 
environment beside our 2007 environ¬ 
ment. We made sure that we had that up 
the way that we wanted it—the database 
availability groups online, test mailboxes 
on there. We basically ran that for about a 
month with test mailboxes connecting to 
it, with Outlook and various clients, made 
sure everything was fine before we set up 
the routing between the two systems. So we 
have Exchange 2007, Exchange 2010, both 
working fine in their own environment, and 
then we set up routing. With routing, you 
send most of the requests through the new 
Exchange 2010 system, which redirects if it 
needs to through the 2007 system. 

Sean: A lot of the testing that was involved 
was testing the DAG—the speed at which a 
database would fail over from one server to 
another. We wanted to get a handle on the 
process, the set up, the administration, and 
then just the sheer speed. You know, is this 
faster or slower than a CCR cluster mailbox 
rolling over from one server to another? 
What issues are there? How is the manage¬ 
ment of it, before and after the fact? We did 
a lot of testing with the DAG on 2010 before 
we started migrating the mass user base. And 
everything worked out pretty well. We hit a 
couple glitches with the DAG testing, but as 
a whole it ran pretty well. Speed-wise, it was 
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a lot faster in activating a database copy from 
one server to another, compared to a cluster 
server failover. The biggest thing I think we 
like about it is that the databases are no 
longer tied to a physical server. They're tied 
to the organization. It doesn't matter what 
server the databases are actually on. 

BKW: How did the migration to Exchange 
2010 go overall? Did the preparation you 
did prove to be adequate? 

Brent: I think so. The curveball was Service 
Pack 1 coming out about the time that we 
were starting our deployment, and our 
decision to go ahead and roll it out with 
Service Pack 1. We would have run into 
those same problems down the road after 
we'd already had it up and running, so I'm 
glad we did it ahead of time. 

Sean: And probably on a grander scale. 
With more people on Exchange 2010, any 
of those issues could have been a lot big¬ 
ger. Doing it at an earlier stage—and I think 
that was one of the reasons we decided to 
do it—we'd be able to control the people 
having the issues because we control who 
we migrate over. 

Brent: There were some fixes, obviously, 
in Service Pack 1 that were beneficial. One 
that I can think of is that SSL offloading did 
not work properly until Service Pack 1. So 
we were ordering our certificates, getting 
them installed on the load balancer, but 
still doing SSL to the back end—we would 
have been if we didn't have Service Pack 1. 
So, there were significant improvements 
with Service Pack 1. 

BKW: What about administrative improve¬ 
ments that came with SP1? They made 
changes that put functions in the GUI that 
previously were available only in Power- 
Shell—is that a big deal for you guys or not? 

Sean: They made quite a few of those 
additions, and that's always nice. Adding 
that functionality into the console gives 
you two avenues. Depending on the level 
of the change, it's something that Help 
desk people might be able to do. It would 
be a lot easier with them doing it through 
the console rather than trying to learn the 
command-line stuff through the shell. 
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BKW: You've talked about some new fea¬ 
tures of Exchange 2010 already, such as 
DAGs, but there are many other new fea¬ 
tures, such as Personal Archives. What 
other new features have you implemented, 
and how are they working so far? 

Sean: The Personal Archive, in all honesty 
we haven't sat down and talked about that. 

Brent: I don't know if it fits well with 
our company. First of all, with Exchange 
2010, you're able to have larger data¬ 
bases, and larger mailboxes, and cheaper 
disks. At that point, does archiving really 
have the appeal it used to have? Usually, 
people were using archives for cheaper 
storage, right? But storage in 2010 has 
gone cheaper. So the archiving function¬ 
ality I'm not sure has a good fit. Now, if 
we run into a business scenario where it 
does make sense, then yes, we'd certainly 
look at it and put it in there. The Exchange 
Control Panel, yes, it's been good. People 
are able to see their devices. We've had 
some people that have lost their devices 
and that were able to actually go into Out¬ 
look Web App and wipe their own device. 
From an employee perspective, the things 
that have helped, that have been beneficial 
with Exchange 2010—Outlook Web App 
is very nice. It gives you the Outlook 2010 
interface, if you will. We've also integrated 
OCS directly into Outlook Web App. You 
see status, and you're able to IM people 
directly from Outlook Web App. 

Sean: That's a great addition to OWA. 

Brent: Things like MP3 voicemail attach¬ 
ments. Prior to Exchange 2010, we had 
WMA support, so some of our mobile 
devices had to have a third-party player 
in order to listen to their voicemail. Now, 
native with Exchange 2010, we were able 
to have MP3 attachments, which I believe 
every device will play by default. 

Sean: That's been a change that was added 
to all the databases, and then was added to 
all the mailboxes that were migrated over. 
[Currently,] we have the managed folders 
for retention. Well, [Microsoft is] looking to 
eliminate managed folders and migrate to 
retention policies. You can actually no lon¬ 
ger control managed folders on the back 


end through the console; it's exclusively 
through the shell now because they're 
trying to migrate off of that and go to reten¬ 
tion policies. The issue with that is that 
unless you exclusively use OWA 2010, to 
benefit from that you have to have Outlook 
2010. And as we mentioned previously, 
we don't own that, we don't have that 
rolled out to the masses, so that's really an 
enhancement that we can't benefit from. 
We're sticking on the managed folder side 
right now. 

BKW: You didn't mention the new voicemail 
transcription—which personally, I think is 
an absolutely wonderful feature, particularly 
on my mobile device. 

Sean: Even on the desktop it is because you 
can just browse over the voicemail like an 
email and see if it's something you have to 
address right away or if it can wait, without 
even listening to it. 

Brent, I know on our intranet site we've 
had some people making fun of some of the 
transcriptions. Some of them are hilarious. 
But for the most part, I can at least get an 
idea what the voicemail message is about 
and whether I need to do something with 
it right now or if it can wait. 

BKW: You already mentioned that we're 
not moving to Outlook 2010 right now. I 
also wanted to ask about Lync 2010. Have 
you had the chance to look at that yet? 

Sean: Looking at it. The upgrade path is 
quite convoluted. It requires a considerable 
amount of resources. What we're trying to 
look at is what kind of benefits we get and 
how much it’s worth to the company to 
get those benefits. It's a very complicated 
environment. 

Editor's Note: This interview was originally 
published on the Windows IT Pro website 
in three parts as InstantDoc IDs 136606, 
136608, and 136611. 
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G et-InstalledApp.ps 1 is a PowerShell script that outputs information (e.g. ; display name, 
version, publisher) about the applications installed on one or more computers in a 
network. When I wrote this script back in 2009,1 was using PowerShell 1.0 and only had 
to access 32-bit Windows OSs (see the web-exclusive article "What Applications Are 
Installed on the Computers in Your Network?" www.windowsitpro.com, InstantDoc ID 
102818). Fast forward to 2011. I'm now using the 64-bit version of Windows 7, which 
has PowerShell 2.0 built-in. I wanted to use Get-InstalledApp.ps 1 to output information about the 
applications installed on 64-bit and 32-bit Windows computers and instantly discovered that when 
I ran the script from the 64-bit version of PowerShell 2.0, it output only 64-bit applications. I had to 
start a 32-bit instance of PowerShell to find 32-bit applications. Needless to say, I was unhappy with 
this limitation. 

I've now written a new version of Get-InstalledApp.ps 1. It addresses this limitation and adds 
some new features, some of which should be particularly useful for people managing both 32-bit and 
64-bit applications. The new version of the script requires PowerShell 2.0 and provides the following 
enhancements: 

• Comment-based Help information instead of a home-grown help function. If you put the script 
in a directory in your path, the command 


This useful 
script deals with 
the complexities 
so you don't 
have to 

by Bill Stewart 


Get-Help Get-InstalledApp 


displays Help information for the script. 

• Allows pipeline input in place of the -ComputerName parameter. 

• Application architecture detection (32-bit or 64-bit). 

Using the Script 

To download Get-InstalledApp.ps 1, go to www.windowsitpro.com, enter 136129 in the InstantDoc ID 
text box, and click the 136129.zip hotlink. The script's command-line syntax is as follows: 


Get-InstalledApp [-ComputerName <String[]>] [-AppID <String>] [-AppName <String>] 

[-Publisher <String>] [-Version <String>] [-Architecture <String>] [-MatchAll] 

The -ComputerName parameter is optional. If you omit it, the script outputs information about the 
applications installed on the local computer. If you pipe input to the script, the script uses the piped 
input for the -ComputerName parameter. Because it's the first positional parameter, you can omit the 
parameter's name (-ComputerName) if you specify a computer name (or a list of computer names) 
as the script's first parameter. 
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Table 1: Application Properties Returned by Get-lnstalledApp.ps! 

Property 

Description 

ComputerName 

Computer on which the application is installed. 

AppID 

The application's ID. The application ID is the registry subkey's name under 
the Uninstall registry key (label A in Figure 1). 

AppName 

The DisplayName registry value (label B in Figure 1). 

Publisher 

The Publisher registry value (label C in Figure 1). 

Version 

The DisplayVersion registry value (label B in Figure 1). 

Architecture 

32-bit or 64-bit, depending on the application installation's registry path. 


The optional -AppID parameter lets 
you search for a particular application 
by its ID. The application ID is the appli¬ 
cation's registry subkey name, which is 
under the Uninstall key in the registry. 
This parameter is particularly useful for 
searching for applications installed with 
Windows Installer, as the application ID 
is the same as the application's product 
code globally unique identifier (GUID). 
You can use wildcards in the -AppID 
parameter's value. If the value contains 
curly braces ({ }), you need to enclose 
it in double quotes (“ "); otherwise, 
PowerShell will think you're specifying 
a hash table. 

The optional -AppName, -Publisher, 
and -Version parameters behave the 
same way as in the earlier version of the 
script. These parameters let you search 
for applications by name, publisher, and 
version, respectively. All three parameters 
support wildcard matching and are case 
insensitive. 

You can specify one of two strings— 64- 
bit or 32-bit—for the optional -Architecture 
parameter, depending on whether you want 
to search for 64-bit or 32-bit applications. 
If you omit the -Architecture parameter, 
Get-InstalledApp.ps 1 outputs information 
about both 64-bit and 32-bit applications. 

When you're looking for only one match 
(e.g., searching for an application by its ID), 
it's unnecessary to continue the registry 
enumeration. So, the script returns only 
the first match by default to minimize net¬ 
work and registry access. When you need 
all the matches, you can use the -MatchAll 
parameter. If you include this parameter, 
the script lists the information about all 
matching applications instead of stop¬ 
ping after the first match. For example, the 
command 

Get-InstalledApp -Publisher ‘-Microsoft* 
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outputs information about the first applica¬ 
tion whose publisher contains the string 
Microsoft, whereas the command 

Get-InstalledApp -Publisher *Microsoft* 
-MatchAl1 

outputs information about all applica¬ 
tions whose publisher contains the string 
Microsoft. (Although this command wraps 
here, you'd enter it all on one line in the 
PowerShell console. The same holds true 
for the other commands that wrap.) 

For each application, Get-InstalledApp 
.psl outputs the properties listed in 
Table 1. Figure 1 shows where in the reg¬ 
istry this information is retrieved from. 
In case you're curious, I retrieve the 
application information from the regis¬ 
try rather than Windows Management 
Instrumentation's (WMI's) Win32_Product 
class because of the class's limitations. 
You can read about some of the limita¬ 
tions in "What Applications Are Installed 
on the Computers in Your Network?" 
You can read about another Win32_ 
Product class limitation in the Microsoft 
article "Event log message indicates 


that the Windows Installer reconfigured 
all installed applications" (support 
.microsoft.com/kb/974524). Incidentally, 
the Win32Reg_AddRemovePrograms class 
mentioned in the Microsoft article seems 
to exist only on computers managed by 
Microsoft Systems Management Server 
(SMS). 

Exploring the Possibilities 

Here are some sample commands that 
will give you an idea of the script's use¬ 
fulness. To output all 64-bit applica¬ 
tions installed on serverl, you'd use the 
command 

Get-InstalledApp serverl 

-Architecture 64-bit -MatchAll 

If you want to find all the applications that 
have the word "office" in their names, then 
sort them by architecture and version, 
you'd run the command 

Get-InstalledApp -AppName *office* 
-MatchAll | Select-Object AppName, 
Version,Architecture | 

Sort-Object Architecture,Version 

Now let’s see something more complicated. 
If you want the script to check the comput¬ 
ers listed in Computers.txt to see which 
machines have LibreOffice 3.3 installed, 
then display the names of those computers, 
you'd use the command 

Get-Content Computers.txt | 

Get-InstalledApp -AppID 
"{1A97CF67-FEBB-436E-BD64- 



Figure 1: Retrieving application information in the registry 
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learning Path 

Other PowerShell scripting articles 
from Bill Stewart: 


"Managing ABE from the Command Line," 

InstantDoc ID 129552 

"Handling Input in PowerShell Functions," 

InstantDoc ID 129159 

"Replacing Strings in Files Using PowerShell," 
InstantDoc ID 126454 

"Windows PowerShell 2.0 Remoting," 

InstantDoc ID 125470 

"Editing and Debugging Scripts with PowerShell 2.0's 
Integrated Scripting Environment," 

InstantDoc ID 104713 

"Running PowerShell Scripts Is as Easy as 1-2-3," 
InstantDoc ID 103427 

"Find Files on Local Drives with Whereis.ps1," 
InstantDoc ID 103096 

Other articles about using 
PowerShell: 

"The Evolution of a Script: This is How You Learn 
PowerShell,"InstantDoc ID 139596 

"A Concentrated Guide to PowerShell Functions," 
InstantDoc ID 128912 

"Debugging in Windows PowerShell," 125694 

"Q. How can I have my PowerShell script display 
output in a table?" InstantDoc ID 125568 


"Q. Can PowerShell scripts run under alternate 
credentials?" InstantDoc ID 125888 


431FFEF72EB8}" | 

Select-Object ComputerName 

Note that this command demonstrates the 
script's new feature of using pipeline input 
in place of the -ComputerName parameter. 
It also demonstrates how to enclose the 
AppID parameter's value in quotes when it 
contains curly braces. 

Working with W0W64 

As I mentioned previously, Get- 
InstalledApp.ps 1 retrieves information 
about the installed applications from the 
registry. To enumerate the installed soft¬ 
ware, it reads the relevant subkeys and 


Listing 1: The compare-leafequality Function 


# Returns $TRUE if the leaf items from both lists are equal. 

# Otherwise, it returns JFALSE. 

function compare-1eafequality($listl, $list2) { 

# Create ArrayLists to hold the leaf items and build both lists. 
SleafListl = new-object System.Collections.ArrayList 

$listl | foreach-object { [Void] SleafListl.Add((split-path $_ -leaf)) } 
SleafList2 = new-object System.Collections.ArrayList 

$list2 | foreach-object { [Void] $1eafList2.Add((split-path $_ -leaf)) } 

# If compare-object has no output, then the lists match. 

(compare-object SleafListl SleafList2 | measure-object).Count -eq 0 

} 


values under the HKLM\SOFTWARE\ 
Microsoft\Windows\CurrentVersion\ 
Uninstall registry subkey, as seen in 
Figure 1. However, this is where the origi¬ 
nal version of the script runs into prob¬ 
lems when it's run on 64-bit Windows. 
This subkey contains information about 
the 64-bit applications installed on a 
64-bit system only; 32-bit application 
installation information resides in a dif¬ 
ferent location in the registry due to 
WOW64. 

WOW64 is the 32-bit emulator in 64-bit 
Windows that allows 64-bit Windows to 
seamlessly run 32-bit applications. When 
a 32-bit application accesses the registry, 
the WOW64 emulator redirects the appli¬ 
cation to the Wow6432Node subkey. For 
example, a 32-bit application that requests 
HKFM\SOFTWARE is redirected to HI<LM\ 
SOFTWARE\Wow6432Node. This means 
that 32-bit applications installed on a 
64-bit system are found in the HKEM\ 
SOFTWARE\Wow6432Node\Microsoft\ 
Windows\CurrentVersion\Uninstall 
subkey. 

When I first started revising the script, 
I retrieved the data from both registry 
locations, which works without problems 
when it's run from 64-bit PowerShell. 
However, when I ran the script from 
32-bit PowerShell on a 64-bit machine, 
I was disconcerted to find that it output 
every application twice. The reason is that 
WOW64 redirected the script's request 
to enumerate HKEM\SOFTWARE\ 
Microsoft\Windows\CurrentVersion\ 
Uninstall to the Wow6432Node loca¬ 
tion. The script then enumerated the 
Wow6432Node location again, causing 
duplicate output. 

I then decided it would be useful to 
determine whether an application is 
32-bit or 64-bit, based on the applica¬ 
tion's installation location in the registry. 


However, you can't tell (at least not easily) 
whether the WOW64 emulator is redirect¬ 
ing the registry to Wow6432Node when 
you're running 32-bit PowerShell on 64-bit 
Windows. 

The new version of Get-InstalledApp.ps 1 
works around these problems by storing the 
registry paths from both registry locations 
as .NET ArrayList objects, then comparing 
the leaf items from both locations. The leaf 
item of a location is its final element. For 
example, the leaf item of the registry path 
HKLM\SOFTWARE\Microsoft\Windows\ 
CurrentVersion\Uninstall\{23170F69- 
40C1 -2702-0920-000001000000} is {23170F69 - 
40C1-2702-0920-000001000000}. Listing 1 
shows the compare-leafequality function 
that the script uses to check whether the two 
lists contain the exact same list of leaf items. 
If the function returns $TRUE, the script has 
detected the WOW64 registry redirection and 
ignores the Wow6432Node data. 

Find Out What's Installed 

The new version of Get-InstalledApp 
.psl can now find and differentiate 
between 32-bit and 64-bit applications. 
It also supports pipeline input in place 
of the -ComputerName parameter. This 
updated script might be all you need to 
find applications on computers on your 
network. ^ 
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Central Admin 
quick dive and 
cheat sheet 

by Rob Wilson 


T here's a chasm in the functionality between SharePoint Foundation 2010 and SharePoint 
Server 2010 Enterprise. As a result, you might read in a book or on a website about a cer¬ 
tain setting, such as in Central Administration, only to discover that the setting doesn't 
exist on your SharePoint 2010 Foundation server. In this article, and in the accompany¬ 
ing SharePoint 2010 Central Administration Cheat Sheet of option settings, Ill point out 
which Central Administration settings are available in each edition. For an exhaustive 
comparison of the features available by edition (including SharePoint Server 2010 Standard), see the 
SharePoint 2010 website page, "Compare SharePoint Editions" (sharepoint.microsoft.com/en-us/ 
buy/Pages/Editions-Comparison, aspx). 

After they configure a new farm, some SharePoint admins rarely use Central Administration except to 
create new site collections or to perform backups. In other organizations, Central Administration is used 
more frequently for tasks such as administering custom solutions and service applications, monitoring 
and reporting, and administering InfoPath form templates. Regardless of which group you fall into, you 
can benefit from the enhancements to Central Administration in SharePoint 2010. You now have more 
features available to you, and they're presented in a way that reduces your number of mouse clicks. Central 
Administration users also benefit from a more intuitive design that makes obscure settings a littie easier to 
find. The Web Applications and Service Applications configuration sections, for example, use the Fluent 
UI (the Ribbon) that you find in Microsoft Office products and on the SharePoint front-end pages. 

It's worth noting that many of the Central Administration options are also available through 
Windows PowerShell. So if you need to create a script to execute a block of administrative commands, 
you can also do that from a command line. Most TechNet articles have been updated to identify the 
Central Administration steps and equivalent PowerShell commands for performing an administrative 
task. For examples of howto enable sandboxed solutions by using either approach, see the Microsoft 
article "Enable sandboxed solutions on the farm (SharePoint Foundation 2010)" at technet.microsoft 
.com/en-us/library/ff535775.aspx. 


Home Page View 

There are few differences between the home pages of the two Central Administration editions. The 
home page for the Central Administration Enterprise edition contains just four additional links. The dif¬ 
ferences are more readily discernable when you drill into the secondary and tertiary settings pages. 

In addition to the number of settings pages, there are also differences in the specific settings on 
some of the common pages. For example, the Tags and Notes tool is available in SharePoint Server 
2010 Standard and SharePoint Server 2010 Enterprise. Because Central Administration was built on 
top of a SharePoint 2010 site, if you have the Standard or Enterprise edition you can take advantage 
of the tagging and notes features to include the "I Like It" and "Tags & Notes" links on most of the 
Central Administration pages. You can use this functionality to develop your own Help system in 
Central Administration. 

Something that stands out like a sore thumb on both home pages is the red message bar indicating 
that "SharePoint Health Analyzer has detected some critical issues that require your attention." That 
message is prominent by design. SharePoint Health Analyzer is a helpful new feature in all editions 
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SharePoint 2010 Central Administration Cheat Sheet 


Application Management | 


1 Foundation 

1 Enterprise 1 

Web Applications 

Manage web applications 

X 

X 

Configure alternate access mappings 

X 

X 

Site Collections 

Create site collections 

X 

X 

Delete a site collection 

X 

X 

Confirm site use and deletion 

X 

X 

Specify quota templates 

X 

X 

Configure quotas and locks 

X 

X 

Change site collection administrators 

X 

X 

View all site collections 

X 

X 

Configure self-service site creation 


X 

Service Applications 

Manage service applications 

X 

X 

Configure service application associations 

X 

X 

Manage services on server 

X 

X 

Databases 

Manage content databases 

X 

X 

Specify the default database server 

X 

X 

Configure the data retrieval service 

X 

X 

Backup and Restore 


1 Foundation 

I Enterprise 

Farm Backup and Restore 

Perform a backup 

X 

X 

Restore from a backup 

X 

X 

Configure backup settings 

X 

X 

View backup and restore history 

X 

X 

Check backup and restore job status 

X 

X 

Granular Backup 

Perform a site collection backup 

X 

X 

Export a site or list 

X 

X 

Recover data from an unattached content Y Y 

database A A 

Check granular backup job status 

X 

X 


General Application Settings 


Foundation 

1 Enterprise 

External Service Connections 

Configure send to connections 

X 

X 

Configure document conversions 

X 

X 

InfoPath Forms Services 

Manage form templates 


X 

Configure InfoPath Forms Services 


X 

Upload form template 


X 

Manage data connection files 


X 

Configure InfoPath Forms Services Web Service Proxy 

X 

Site Directory 

Configure the Site Directory 


X 

Scan Site Directory Links 


X 

SharePoint Designer 

Configure SharePoint Designer settings 

X 

X 

Search 

Farm Search Administration 


X 

Crawler Impact Rules 


X 

Content Deployment 

Configure content deployment paths and jobs 


X 

Configure content deployment 


X 

Check deployment of specific content 


X 


Monitoring 



Health Analyzer 


Review problems and solutions X X 

Review rule definitions X X 

Timer Jobs 

Review job definitions X X 

Check job status X X 

Reporting 

View administrative reports X 

Configure diagnostic logging X X 

Review Information Management Policy Usage Reports X 

View health reports X X 

Configure usage and health data collection X X 

View Web Analytics reports X 


Upgrade and Migration 

| Foundation | Enterprise 


Upgrade and Patch Management 

Convert farm license type X 

Enable Enterprise Features X 

Enable Features on Existing Sites X 

Check product and patch installation status X X 

Review database status X X 

Check upgrade status X X 



Manage the farm administrators group X X 

Approve or reject distribution groups X X 

Specify web application user policy X X 

General Security 

Configure managed accounts X X 

Configure service accounts ^||x X 

Configure password change settings X X 

Specify authentication providers X X 

Manage trust X X 

Manage antivirus settings X X 

Define blocked file types X X 

Manage web part security X X 

Configure self-service site creation X X 

Information Policy 

Configure information rights management X X 

Configure Information Management Policy X X 


Configuration Wizards 


Farm Configuration 

Launch farm configuration wizard 


Foundation Enterprise 


System Settings 

I Foundation I Enterprise 


Servers 


Manage servers in this farm X X 

Manage services on server X X 

E-Mail and Text Messages (SMS) 

Configure outgoing e-mail settings X X 

Configure incoming e-mail settings X X 

Configure mobile account X X 

Farm Management 

Configure alternate access mappings X X 

Manage farm features X X 

Manage farm solutions X X 

Manage user solutions X X 

Configure privacy options X X 

Configure cross-firewall access zone X X 
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Figure 1: Central Administration Web Applications settings 




Web Apphcations 

Manage web applications 


Configure alternate access mappings 


Site Co I lectio n s 

- -•] Create site collections Delete a SEte collection Confirm site use and deletion, 

Specify quota templates Configure quotas ant) locks change site collection administrators 
View all site Collections Con Figure seFF'Service site creation 


it 


Service Applications 

Manage service applications 


Configure service application associations Manage services on server 


Databases 

■ Sr Manage content databases Specify the default database server Configure the data retrieval service 


Figure 2: Central Administration Application Management operations 


of SharePoint 2010 that points out issues 
in the farm configuration and warns you 
about potential hardware, security, and 
performance issues. Some of the identified 
problems are accompanied by an autocor- 
rect option. 

Central Administration is divided into 
the following primary categories: 

• Application Management 

• System Settings 

• Monitoring 

• Backup and Restore 

• Security 

• Upgrade and Migration 

• General Application Settings 

• Configuration Wizards 

Most of these primary categories are split 
into two or more sections on the individual 
category pages. For the most part, these 
features are categorized in an intuitive 
manner, but there are some anomalies. See 
the cheat sheet for more information about 
how to navigate the settings pages. 

In all, Central Administration contains 
more than 80 settings pages. But the config¬ 
uration options go much deeper than that. 
The Web Applications settings, for example, 
branch out to about 20 additional settings 
pages and dialog boxes, as Figure 1 shows. 

Applications Management 

I won't walk through all the settings in 
Central Administration, but I will visit a 


few. Probably one of the deepest areas 
of Central Administration is Application 
Management, which Figure 2 shows. This 
category is divided into the following 
sections: 

• Web Applications 

• Site Collections 

• Service Applications 

• Databases 

On the Web Applications management 
page, you can configure settings that are 
related to Microsoft IIS, the SMTP server, 
and various permissions and policies. By 
using alternative access mappings, you 
can configure which addresses your users 
will use when they access the portal from 
internal and external locations. 

On various pages in the Site Collections 
section, you can set default properties for 
site collection templates. You can also cre¬ 
ate, edit, view, and delete site collections. 

The Service Applications section lets 
you administer some of the built-in service 
applications, such as Excel Services and 
Search. You can also include your own 
service applications in this section. For 
example, you can deploy a service applica¬ 
tion to configure a custom application. 

On the Manage services on server 
page, you can start and stop some of the 
SharePoint services and editing settings. 
The Databases section lets you manipulate 
your content databases. 
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Monitoring 

The Monitoring category of Central 
Administration breaks down into the fol¬ 
lowing sections: 

• Health Analyzer 

• Timer fobs 

• Reporting 

The most notable difference between the 
Foundation and Enterprise editions in this 
category relates to reporting. The adminis¬ 
trative reports, Information Management 
Policy Usage reports, and Web Analytics 
reports are not available in SharePoint 
Foundation 2010. These reports are used 
for search administration, tracking visits 
and visitors, and so on. 

General Application Settings 

The final area I will touch on is the General 
Application Settings category. In this area 
alone, SharePoint Server 2010 Enterprise 
offers four more configuration categories 
and 12 more configuration sections than 
SharePoint Foundation 2010. The most 
commonly used of these additional options 
are the InfoPath Forms Services section 
and the Farm Search Administration page. 

A valuable and often overlooked section 
is Content Deployment. By using content 
deployment, you can publish SharePoint 
content from one farm to another farm, 
or from one site to another site, among 
other tasks. 

Keep Your Options (Cheat Sheet) Open 

Make sure that you check out the Central 
Administration cheat sheet. Print it and 
keep it handy for reference. I recommend 
that you keep a digital copy handy as well so 
that you can search it quickly for the exact 
location of a particular setting. In future 
articles, I will go into greater detail about 
settings and configurations as we continue 
to explore specific areas of SharePoint 2010 
Central Administration. ^ 
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for Microsoft Office interoperates with 
McAfee Host Data Loss Prevention (DLP) 
solution, letting customers add user- 
driven classification to further protect 
sensitive and confidential information 
right at the desktop. New features in this 
version include dynamic labeling, label 
mapping, and SharePoint interoperability. 
To learn more, visit www.titus.com. 

Red Earth Software's Policy Patrol 
Archiver for Email Archiving on 
Exchange 

Red Earth Software released its Policy 
Patrol Archiver, an email archiving and 
electronic discovery solution for small 
and medium-sized businesses (SMBs) 
using Microsoft Exchange Server. Policy 
Patrol Archiver lets SMBs meet compli¬ 
ancy needs, reduce Exchange store size, 


PRODUCT 

MetaVis Releases Information Manager 
for SharePoint 2010 

MetaVis Technologies has announced retaining file system metadata) and tag in 
MetaVis Information Manager for one process from the SharePoint ribbon. 

SharePoint 2010, which lets users bulk "While SharePoint 2010 provides 

import, copy, and classify content directly tagging and classification technology, 
from the SharePoint user interface. Infor- it is limited to individual items, making 
mation Manager is embedded directly it an underutilized feature,"said Peter 
into the SharePoint 2010 ribbon, letting Senescu, President and Co-founder of 
authorized users classify, upload, and MetaVis Technologies. "Having classifica- 
copy content using familiar controls and tion capabilities and not using them is 
interfaces. Information Manager allows an opportunity lost for organizations, 
authorized SharePoint users to copy con- MetaVis Information Manager makes 
tent between different SharePoint sites, importing and tagging content seam- 
site collections, list and libraries, as well less and easy. SharePoint information 
as bulk import from File Shares (while becomes well organized, manageable 

and most importantly, searchable." 

To learn more about MetaVis prod¬ 
uct offerings, check out, "Maximize 
Your SharePoint 2010 Investment with 
MetaVis" at www.windowsitpro.com, 
InstantDoc ID 104622.To download a 
free trial of Information Manager, visit 
www.metavistech.com. 



TITUS Classification for Microsoft 
Office 

TITUS has announced the availability of its 
classification policy solution, TITUS Clas¬ 
sification for Microsoft Office, formerly 
known as TITUS Document Classification. 
The solution includes enhanced feature 
sets and functionality specific to Microsoft 
Office to classify, label, and protect docu¬ 
ments from data loss. TITUS Classification 




and boost Exchange performance. Policy 
Patrol Archiver automatically stores emails 
in a centralized archive location, allow¬ 
ing administrators to set email reten¬ 
tion policies and meet email archiving 
requirements. Emails are archived into the 
database instantly, so that even if a user 
deletes an email, it will still be archived into 
the database. To learn more, visit www 
.policypatrol.com. 

Napatech Software Suite for 
Network Appliance Development 

Napatech has announced the introduction 
of its Napatech Software Suite. The solu¬ 
tion includes features that make develop¬ 
ment of multi-port and multi-application 
network appliances faster and easier. The 
release includes functionality for merg¬ 
ing data from ports on multiple Napatech 
network adapters into a single stream for 
analysis. In addition, the suite provides 
plug-and-play support for Napatech's net¬ 
work adapters. The data sharing features 
provided by the Napatech Software Suite 
lets multiple physical appliances to be 
consolidated onto a single physical server. 
To learn more, visit www.napatech.com. 

USB Device Redirection and 
Isolation Get Easy 

Incentives Pro has released the TS Edition 
of its USB Redirector. The new software 
allows simple USB device redirection to a 
terminal server and enables device isola¬ 
tion in RDP session. USB Redirector lets 
users redirect their devices to the server 
and use them in remote Windows session. 
Users can also isolate USB devices in a 
RDP session, making them inaccessible 
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and invisible for other users. The program 
currently supports isolation for mass stor¬ 
age devices and human-interface devices. 
To make the software even more usable, 
Incentives Pro has added compatibility 
with USB Redirector for Linux. To learn 
more, visit www.incentivespro.com. 

Intel Introduces AppUp Small 
Business Service Featuring Asigra 
Cloud Backup 

Asigra announced that it has joined with 
Intel to offer hybrid cloud backup as part of 
the Intel AppUp Small Business Service. 
The new solution delivers the advantages 
of offsite backup with the security and 
performance of an onsite server for both 
local and remote recovery. Asigra Cloud 
Backup is one of a select group of applica¬ 
tions preloaded for shipment with the 
new Intel solution.The Intel AppUp Small 
Business Service features a mix of local and 
cloud software with an Intel Xeon-based 
server that comes pre-loaded with tools 
for remote management, firewall, Vo IP/P BX 
and backup. To learn more, visit www 
.intel.com. 

Fujitsu Releases North American 
Global Cloud Platform 

Fujitsu has announced the North American 
rollout of its Global Cloud Platform. The 

service will become available on Septem¬ 
ber 1 and offer scaled pricing. The platform 
incorporates multi-tier security for an 
enterprise-grade environment. Its browser 
interface makes it simple to build, provi¬ 
sion, and manage secure environments 
for even relatively complex, three-tier 


workloads. The offering supports Microsoft, 
Linux, and CentOS open source-based 
applications. To learn more, visit www 
.fujitsu.com. 

Secure Your Emails with eCrypt.me 

eCryptTechnologies has launched eCrypt 
.me, a web-based email and file encryp¬ 
tion service. One feature of eCrypt.me is its 
secure File Vault where users can securely 
store files for secure, on-the-fly access from 
any device with an internet connection, 
including PCs, Macs, smartphones, and 
tablets. eCrypt's strong focus on privacy 
and end user control influenced develop¬ 
ment of the platform to prevent unauthor¬ 
ized access to the contents of messages 
and files by anyone, including eCrypt. To 
learn more, visit www.ecryptinc.com. 
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ComTrade's Management Pack for 
Citrix Xen Desktop 5 on SCOM 

ComTrade has announced the release 
of its new Management Pack for Citrix 
XenDesktop 5. In addition, existing 
ComTrade's Management Pack for Citrix 
XenApp now supports XenApp 6. Both 
products are integrated in Microsoft Sys¬ 
tem Center Operations Manager (SCOM) 
to provide simple installation, minimal 
training and easy maintenance. ComTrade's 
Management Pack for Citrix XenDesktop 
includes a fully-featured 
availability and performance 
management solution and 
extends the end-to-end 
service monitoring capabili¬ 
ties of SCOM to include Citrix 
XenDesktop 5 infrastructure. 
To learn more, visit www 
.comtrade.com. ^ 


Paul’s Picks 

www.winsupersite.com (V 

SUMMARIES of in-deptTT 
product reviews on Paul 
Thurrott's SuperSite for 
Windows 

Apple iOS 5 for iPhone, iPad, 
iPod Touch 

PROS? Finally picks up much needed features 
from other mobile platforms 

CON! Best features were literally copied from 
other mobile platforms 

RATING: ♦♦♦00 

RECOMMENDATION: Apple's iOS now 
runs on many of the world's best-selling 
mobile devices. But we're seeing a slowing of 
innovation. Most of the big new iOS 5 features 
are culled straight from Android, BlackBerry, 
and Windows Phone. The new notifications 
look and work like Windows Phone notifica¬ 
tions. Camera improvements were lifted from 
Windows Phone, and the split virtual keyboard 
first appeared in Microsoft's UltraMobile PC 
products several years ago. iMessage? It's a 
proprietary, Apple-only version of the Black- 
Berry Messaging Service (BMS). Not exactly the 
innovation message Apple likes to project. 

CONTACT Apple • www.apple.com 

DISCUSSION: http://www.winsupersite.com/ 
artide/apple/wwdc-2011 -competitive-analysis- 
apples-platforms-136401 

Apple Mac OS X "Lion" 

PROS: iPad-style Uls; inexpensive; loose licens¬ 
ing terms 

CONS: Yet another minor OS X update, deliv¬ 
ered only via download 

RATING: ♦♦♦00 

RECOMMENDATION: Transitioning from 
its buggy Mac OS past to the more durable 
and reliable Mac OS X, Apple has delivered a 
decade's worth of minor, evolutionary updates, 
and Mac OS X 10.7 "Lion" is just the latest. Some 
Uls are pure iPad, and with mixed results. But 
other Lion ideas simply speak to how tired this 
desktop-based OS has become. What Apple 
gets right, however, is pricing and licensing: 

Lion is $29, and you can install a single copy 
of the system on as many Macs as you own. 

That said, it's download-only, and an upgrade 
only for those users who have the previous ver¬ 
sion, Snow Leopard, installed. So later system 
rebuilds will require you to install Snow Leopard 
first, then Lion. 

CONTACT Apple • www.apple.com 

DISCUSSION: www.winsupersite.com/article/ 
apple/wwdc-2011 -competitive- 
analysis-apples-platforms-136401 
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PowerShell Plus 4.0 



Beginning with Microsoft Exchange Server 
2007, Microsoft has been slowly integrat¬ 
ing PowerShell into all of its enterprise 
products. Many products, including 
Exchange, use PowerShell exclusively, with 
administration GUIs as mere front ends to 
PowerShell. 

Despite all of PowerShell's flexibility 
and power, what was sorely lacking at the 
product's introduction was a quality IDE. 
PowerShell is an object-based language 
that offers advanced scripting, but writing 
scripts in Notepad or another text editor 
quickly becomes tedious. Fortunately, sev¬ 
eral third-party companies stepped up to 
provide IDEs for PowerShell. And with the 
release of PowerShell 2.0, Microsoft even 
included an IDE of its own, the Integrated 
Scripting Environment (ISE). 

I recently took a look at PowerShell 
Plus 4.0 from Idera to see whether it's a 
worthwhile addition to an IT professional's 
toolkit. Idera offers a fully functional 
30-day trial of PowerShell Plus, with one 
small caveat: You have to provide some 
personal information, including your email 
address, before the company will provide 
the download link. Idera uses your email 
address to send you the download link, but 
the company also signs you up for some 
follow-up newsletters. Although it was easy 
to unsubscribe myself from these newslet¬ 
ters, I wasn't told in advance that I would 
receive them. 

Despite this initial annoyance, the 
product downloaded quickly and installed 
without any issues on my Windows 7 Pro¬ 
fessional test system. Eager to say goodbye 
to my days of using Notepad to work on 
PowerShell scripts, I fired up the applica¬ 
tion and was greeted with an initial setup 
wizard. 

The setup wizard first examined the 
script execution policy in place for my 
PowerShell scripts and found it to be set 
to the default value. The wizard suggested 
changing the policy to Remote Signed and 
offered to make the change for me. In addi¬ 
tion, the wizard included the other possible 
settings for the policy and offered an expla¬ 
nation of each. PowerShell Plus includes 
the ability to email your PowerShell scripts 
directly from within the application, which 


is a nice touch. My only 
complaint is that the email 
setup requires an SMTP 
server to be available, 
something that I didn't 
have on my test network. 

Because there was no way 
to skip this section of the 
wizard, I had to spend time 
entering bogus values just 
to move through this por¬ 
tion of the setup. 

As soon as I completed 
the wizard, I was able to 
easily navigate the software. 

As Figure 1 shows, Idera 
uses the Fluent interface that Microsoft 
introduced in Office 2007, which makes it 
a breeze to find features. The software was 
very inviting, and it included a selection of 
scripts in various script libraries. I was able 
to add my own scripts to a personal library 
and modify the scripts that were included. 
In speaking with Idera, I confirmed that 
this was by design—the included scripts 
are meant to get you started, not to be a 
complete solution. These starter scripts, 
combined with the product's Interactive 
Learning Center, make the software a 
compelling alternative to the free ISE that's 
included with PowerShell 2.0, especially if 
you're new to writing PowerShell scripts or 
just new to PowerShell in general. 

The IDE includes features that anyone 
who has used Visual Studio will feel at 
home with, such as color coding, tab 
completion, debugging, code examples, 
and IntelliSense, a feature that, disap¬ 
pointingly, Microsoft didn't include in the 
PowerShell 2.0 ISE. These features stand 
alongside standard editor staples such as 
undo, redo, and find and replace. One of 
IDE's tabs is an actual PowerShell console. 
This is where you can run any scripts you 
create, or where you can run a PowerShell 
one-liner. Being able to see your scripts run 
in real time, and having a full PowerShell 
console window that can be manipulated 
within the IDE, is very welcome. 


Overall, I was impressed with Power- 
Shell Plus and would recommend the 
product. I found the software to be useful 
and worth the modest price, especially for 
anyone who spends a fair amount of time 
working with PowerShell or who wants 
to become more proficient at it. Idera 
also offers a free license to anyone who is 
a Microsoft MVP, which is a nice way for 
the company to give back to the Power- 
Shell community. Even if you're currently 
happy with the PowerShell 2.0 ISE and 
are on the fence about trying PowerShell 
Plus, I encourage you to give it a trial run. 
The additional features Idera includes in 
PowerShell Plus might just compel you to 
switch. ^ 
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PowerShell Plus 4.0 

PROS: Solid IDE; includes useful scripts to get 
started; easy access to PowerShell console 

CONS: Email setup is required but isn't full- 
featured; trial download covertly signs you up 
for newsletters 

RATING: ♦♦♦♦O 

PRICE: $199 for a single-user license; free 
license for Microsoft MVPs 

RECOMMENDATION: I recommend this 
product to anyone who frequently works with 
PowerShell. 

CONTACT: Idera • 877-464-3372 • 
www.idera.com 
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SCUPdates 


Considering that third-party applications 
now pose a bigger security risk than Micro¬ 
soft software, all organizations must have 
a strategy for ensuring that non-Microsoft 
applications are patched in a timely manner. 
This is where Shavlik's SCUPdates can help. 

SCUPdates supplements Microsoft Sys¬ 
tem Center Updates Publisher for Microsoft 
System Center Configuration Manager 
(SCCM) 2007. System Center Updates 
Publisher publishes third-party software 
updates to Windows Server Update Services 
(WSUS) for deployment by using SCCM. 
Software update catalogs (.cab files) or 
updates that are provided as .exe files, .msi 
files, or .msp files can be imported into 
System Center Updates Publisher. 

Shavlik provides third-party software 
updates for a series of commonly deployed 
non-Microsoft applications, such as Adobe 
Acrobat Reader and RealPlayer, as the 
updates are made available by the vendors. 
The updates are packaged for use with 
System Center Updates Publisher. They are 
then tested by Shavlik and distributed as 
.cab files to customers via email. 

To use SCUPdates, you must be running 
SCCM 2007 SP2 on Windows Server 2003 SP2 
or a later version of Windows Server. You must 
also have WSUS 3.0 SP2 and System Center 
Updates Publisher 4.5 installed. If you're 
not already using System Center Updates 
Publisher with SCCM, you can download the 
tool from the Microsoft Download Center 
(www.microsoft.com/download/en/details 
.aspx?id=11940). System Center Updates Pub¬ 
lisher is licensed for use only with SCCM and 
with Microsoft System Center Essentials (SCE). 

Although Shavlik charges you to down¬ 
load its catalogs for System Center Updates 
Publisher, you should note that Adobe 
provides free catalogs for Flash Player, Acro¬ 
bat, and Acrobat Reader—as does the free, 
limited-use version of SCUPdates. Dell and HP 
also provide catalogs for updating software 
by bundling the catalogs with their servers 
and workstations. For more information, see 
"Third-Party Custom Catalogs for Configura¬ 
tion Manager 2007 and System Center Essen¬ 
tials 2007" at technet.microsoft.com/en-us/ 
systemcenter/cm/bb892875.aspx. 

System Center Updates Publisher uses the 
localupdates API to publish catalogs to WSUS. 



Figure 1: SCUPdates-published updates imported into 
System Center Updates Publisher 


Because of the API's limita¬ 
tions, you can't view updates 
in the WSUS administration 
console. Instead, you must 
manage updates by using 
SCCM or SCE. For more 
information about WSUS local 
update publishing, see "Pub¬ 
lishing Third-Party Updates 
to WSUS" (February 2011, 

InstantDoc ID 129241). 

When I imported the 
main .cab file that's provided 
by SCUPdates into System 
Center Updates Publisher, 

307 separate updates were 
loaded and displayed as ready for publica¬ 
tion. SCUPdates supports popular applica¬ 
tions such as RealPlayer, Adobe AIR, and 
Skype. However, programs such as Google 
Chrome and WinZip were noticeably absent. 
SCUPdates also provided two other .cab 
files, one for Apple applications and the 
other for the Sun Java runtime environment. 
You can find a full list of supported products 
on the Shavlik website at community.shavlik 
.com/answers/viewQuestion.apexp?id= 
906C0000000TSjulAG. Figure 1 shows 
updates that have been imported into 
System Center Updates Publisher by using 
SCUPdates. 

If you already have a working SCCM 
server and System Center Updates Publisher 
set up and configured, it will take you just a 
few mouse clicks to import the SCUPdates 
catalogs. Right-click System Center Updates 
Publisher in the System Center Updates 
Publisher console, click Import Update(s) 
on the menu, and browse through the 
relevant .cab files. After the SCUPdates files 
are imported, you must set the publish 
flags for updates that you want to publish 
to Full Content or to Metadata Only in the 
System Center Updates Publisher console. 

In the Actions pane, click Publish Update(s). 
Everything from that point on relies on 
System Center Updates Publisher, SCCM, 
and WSUS. No additional software or agents 
are required to use SCUPdates. 


You could consider SCUPdates to 
be more of a service than a product. In 
principle, it shouldn't be difficult to create 
updates by using System Center Updates 
Publisher, as long as software vendors 
provide suitable update packages. However, 
it does require some experience and time to 
test the process, and SCUPdates eliminates 
this task by taking over the process. The 
program helps reduce the amount of time 
between the release of patches by vendors 
and the deployment of patches on your 
network. If you put SCUPdates to work, all 
that's left for you to do is to make sure that 
the updates distributed to your servers and 
workstations don't adversely affect your 
production environment. ♦ 

InstantDoc ID 136344 

SCUPdates 

PROS: Reduces testing time when you deploy 
third-party updates 

CONS: Covers a limited range of products 

RATING: ♦♦♦♦O 

PRICE: $5 per endpoint 

RECOMMENDATION: SCUPdates is useful 
for smaller organizations that don't have the 
resources to package third-party updates, but it 
could prove pricey for larger organizations. 

CONTACT: Shavlik Technologies • 800-690-6911 
• www.shavlik.com 


* 

KJ Russell Smith | rms45@rsitc.com 




54 AUGUST 2011 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 



























P R 




ENow Mailscape 

I've worked with many reporting and moni¬ 
toring tools over the course of my 15 years 
in this industry, and it's rare that I've had a 
positive experience. Overly complicated, set- 
it-but-never-forget-it solutions have kept me 
at a console for more hours than I can count. 
I'm not complaining about the power of 
these solutions, but I do object to the need 
to have a PhD to install and work with them. 

In this regard, ENow's Mailscape is 
a breath of fresh air. This product offers 
simplified reporting and monitoring on the 
front end and powerful features to tap in 
to on the back end. 

Typically, I prefer to install a product 
myself; but the folks at ENow offer a free 
guided installation service. So I slipped into 
consumer mode and asked them to do so 
for me—with one twist: I'd be watching the 
process happen so that I could fairly rate it. 

As it turns out, the installation was easy 
and went smoothly. It took less than 30 min¬ 
utes to get the program running on several 
Microsoft Exchange Server 2010 servers. 

The Mailscape setup consists of a website 
installed on a Microsoft IIS server, an agent 
on the monitored server, and a connection 
to a Microsoft SQL Server database if you 
want the report customization. Mailscape 
supports Microsoft SQL Express and Micro¬ 
soft SQL Server 2005 and later versions. You 
can monitor Microsoft Exchange Server 
2003 through Microsoft Exchange Server 
2010 and servers that run on Windows 2003 
or later versions. Communication between 
the monitored servers and the web server 
can be configured on any port. 

In my case, the agent was manually 
installed on several systems. However, ENow 
recently added the ability to automatically 
push the client out to servers. Installing 
the client took only one minute and didn't 
require a reboot. A nice feature is that 
Mailscape monitors its own performance in 
addition to the performance of the servers. 

It takes only a glance at the Mailscape 
Monitoring Dashboard to get a sense of 
why this is my favorite program feature: it's 
simple and colorful, with red, yellow, and 
green indicator lights that mimic a Star Trek 
(original series) console, as Figure 1 shows. 

The moment a problem occurs, you receive a 
visual alert. An easy way to test the monitoring 


I 

REVIEW ■ 



features is to stop some mail- 
oriented services and watch the 
red lights start blinking. 

Mailscape keeps an eye 
on nearly everything that you 
would expect a solid monitor¬ 
ing product to track. And while 
I would like to see it also report 
on additional server types, 
such as Office Communications 
Server/Lync and SharePoint, 

I'm told that this functionality 
is coming later this year. Still, 

I was quite pleased with the 
level of detail in the Exchange 
and Active Directory (AD) areas. For 
example, the display for Exchange 2010 
servers shows whether your Client Access 
servers and database availability group 
(DAG) servers are functioning and config¬ 
ured correctly. 

Although Mailscape can monitor some 
low-level Exchange components, I did 
not find the product overly complicated. 
The dashboard lets you drill down into an 
area for more details. For less experienced 
administrators, the program includes a 
built-in knowledge base that helps you 
troubleshoot problems. 

I found the Mailscape reporting 
capabilities very robust. Out-of-the-box, 
the product provides more than 200 
reports. You can also create custom reports 
based on existing content or from scratch. 
Mailscape's report wizard lets you custom¬ 
ize a report based on almost anything in 
AD, including user and custom attributes, 
groups, and organizational units. The 
reporting interface takes a few minutes to 
get used to, but it provides a lot of power. 

One of the most impressive things 
about this product is that it combines many 
features generally found in separate prod¬ 
ucts. It includes scores of features that are 
in monitoring and reporting applications 
and in mobile device management solu¬ 
tions. Perhaps Mailscape's coolest feature is 
that it can display all this varied information 
in customized dashboards. Several sample 


dashboards are provided, including a 
simple and intuitive Help Desk dashboard, 
as well as others for management, security 
teams, and Exchange/AD administrators. 

I found the mobile device monitoring 
and reporting feature very useful. Mailscape 
automatically tests Client Access servers 
to make sure that ActiveSync is working. 

It also includes BlackBerry monitoring 
features that let you visually correlate users 
and devices through a cool graphic that 
pinpoints where an issue is occurring. 

I look forward to seeing what else ENow 
comes up with in the way of support for more 
elements on a network. But in the current ver¬ 
sion of Mailscape, they already have Exchange 
monitoring and reporting nailed down. ▼ 
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Mailscape 

PROS: Combines Exchange reporting and moni¬ 
toring, is easy to use, and is incredibly intuitive 
yet customizable 

CONS: Doesn't include OCS/Lync, SharePoint, 
and some other reporting features (reported to 
be coming in a future release) 

PRICE: Small Business starts at $1,500 for two 
servers plus console; for Enterprise pricing, 
contact vendor 

RATING: ♦♦♦♦♦ 

RECOMMENDATION: Offers simplified report¬ 
ing and monitoring on the front end and power¬ 
ful features to tap in to on the back end 

CONTACT: ENow • 877-879-3669 • enowinc.com 
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Backup My Info! 


Despite its name, which might suggest a light¬ 
weight consumer-oriented product, Backup 
My Info! (or BUMI, for short) is a comprehen¬ 
sive cloud-based storage solution that scales 
for large enterprises.The product is based on 
technology provided by Asigra, a company 
that has offered backup solutions since 1986. 
BUMI supports an impressive array of OSs and 
applications, including Windows, Linux, Mac 
OS X, Microsoft Exchange Server, Microsoft 
SQL Server, Microsoft Office SharePoint Server, 
SAP's ERP software, and Oracle databases. 

BUMI engineers use remote-control tech¬ 
nology to install the product.They're on hand 
around the clock to monitor logs, inform 
clients if there's a problem with a backup job, 
and assist with restore operations if neces¬ 
sary. Installation of BUMI involves assigning 
a server to run the DS-Client software. The 
client software connects through port 4401 
(TCP and UDP) to the DS-Service software 
running at the remote data center.The 
firewall rule can be locked down to a specific 
external IP address. DS-Client uses SQL Server 
2005 Express to store backup catalogs. The 
management interface (DS-User) is simple 
and intuitive. 

BUMI refers to each data set created by a 
backup job as a generation. You can specify 
the number of generations that should be 
kept until the oldest generation of a file is 
overwritten. In addition, you can specify 
retention rules to make sure that a generation 
from a given time frame isn't deleted (e.g., 
keep one generation per month for 1 year). 

DS-Client can perform an initial encrypted 
backup on a portable hard disk to send by 
courier to the data center. This avoids having 
to synchronize huge amounts of data over 
the Internet to make the first-generation 
copy. Furthermore, BUMI can keep the latest 
generation of backup on a local disk in addi¬ 
tion to the copy in the remote data center, 
thereby enabling organizations to restore 
data quickly in the event of a disaster. 

DS-Client can be installed on a dedicated 
server. You can back up any device or sup¬ 
ported application without having to lay your 
hands on those devices.This reduces the risk 
of downtime caused by agent deployment, 
upgrades, or operational problems that can 
be created by backup programs. The ability to 
run agentless backup and restore operations 


also extends to non-Windows OSs. In my test¬ 
ing, I had no problem getting BUMI to back 
up another Windows-based server across the 
network. Moreover, there seemed to be no 
noticeable slowdown on the device while 
the backup was in progress. BUMI can also 
throttle bandwidth—a useful feature if you 
want to run online backups at busy times. 

During the restore process, you must click 
File Info to get access to any backup other 
than the generation that's stored locally.This 
isn't entirely intuitive, but it didn't take long 
to figure out. The Restore Now Wizard dialog 
box opens to show the generations that 
are stored in the cloud.The local backup is 
marked for clarity. 

Complete restores of Windows servers 
from local storage or from the online vault are 
supported, but you must have an OS prein¬ 
stalled, and you must include the system state 
and the Services database in the backup set. 
BUMI also supports brick-level restoration of 
Exchange data, down to individual messages. 
Backup and restore operations are performed 
at the maximum capacity of the client's data 
circuit—unless you otherwise throttle the 
operation in the DS-Client configuration 
settings. 

BUMI includes Asigra's Backup Lifecycle 
Management, which archives non-critical 
data to a cheaper storage medium. This two- 
tier storage system lets you give priority dur¬ 
ing a restore operation to data that's stored in 
the online vault over data that's stored in the 
archive, thus ensuring that critical business 
data gets restored first. 

The advantage of this two-tier system 
is that it helps lower costs, achieve compli¬ 
ance, and optimize restore operations. BUMI's 
data-retention strategy is to store frequently 
changed files in the online vault. This typically 
amounts to about 10 percent of an organiza¬ 
tion's data.The remaining 90 percent is stored 
at a lower cost in an archive vault. In a major 
disaster recovery scenario, critical data in the 
online vault can be restored quickly over the 
Internet, and the remaining archive vault 
data can be shipped on an encrypted disk 
overnight by courier, free of charge. 


Asigra's technology performs data dedu¬ 
plication at the client's site when a backup job 
runs so that a minimum of data is transferred 
to the online vault. In addition, deduplication 
is performed at the data center to further 
minimize data collected if a customer has 
multiple DS-Client instances.This reduces the 
volume of data that must be stored on disk, 
which translates to reduced costs for custom¬ 
ers. Deduplication isn't applied to backups 
that are stored on a local disk, but local 
backups are compressed. BUMI uses block 
elimination to ensure that only the changes 
to files are backed up, further reducing the 
disk space required by the backed-up data. 
This is the kind of advanced feature that you 
would expect from a mature, enterprise-class 
solution. In addition, data is encrypted both 
on disk and over the wire. 

Restoring an Exchange database or a 
Windows server can be stressful, even with 
the best of planning. Although BUMI scales 
for large enterprises, it's especially suited to 
small-to-midsized businesses (SMBs) that 
have little or no onsite support and whose 
managers want the assurance that their data 
can be restored quickly. ^ 
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Backup My Info! 

PROS: Intelligent placement in tiered storage, 
compression, and deduplication of data to mini¬ 
mize storage costs; agentless architecture 

CONS: Data centers limited to North America; 
no bare-metal restores 

RATING: ♦♦♦♦O 

PRICE: $150 a month for up to 20GB (com¬ 
pressed); $6 per additional compressed gigabyte 
in the online vault and $3 per compressed 
gigabyte in the archive vault 

RECOMMENDATION: The technology behind 
BUMI is mature and trusted by enterprises world¬ 
wide. BUMI is suited to companies that want the 
peace of mind from knowing that expert help is 
always on hand to deal with backup and restore 
issues. 

CONTACT: BUMI • 866-444-2864 • www 
.backupmyinfo.com 
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WWW.WINCONNECTIONS.COM 



HOTEL ACCOMMODATIONS 

Mandalay Bay Resort and Casino in Las Vegas is the conference site and host hotel. 
This is where all sessions and activities are held. 

We have secured a discounted conference rate of $159/night at Mandalay 
Bay, $189/night at THE Hotel plus tax (12%). Rate is based on single or double 
occupancy and based on availability. Hotel requires a one night room and tax 
deposit at time of reservation. (Credit card will be charged by the hotel). 

Hotel cancellation policy: Must cancel at least 72 hours prior to arrival date. 

Last Fall our rooms sold out , so register early! 

800.438.6720 • www.WinConnections.com 
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EXCHANGE SESSIONS 


Microsoft® 


Exchange 

(CONNECTIO N~g) 


MICROSOFT SESSIONS 

Recent Engineering Developments 
in Exchange 2010 - SP2 

Load Balancing Connections 
(CAS r load balancers) 

Interoperability with Exchange 
Online - Keeping Things Running 
as You Migrate 

Migration to Exchange Online 

Virtualizing Exchange with 
Database Availability Group 

Complex Database Availability 
Group Designs 


EXCHANGE SESSIONS 

EXC01: To Backup or Not Backup - 
That Is the Question 

Michael B. Smith 

EXC02: Exchange 2010 Mailbox 
Role High Availability - 
What's Under the Hood.... 

Tim McMichael 

EXC03: Exchange 2010 
Mailbox Role Site Resiliency 
- Understanding Datacenter 
Activation Coordination 
Tim McMichael 

EXC04: Exchange 2010 Designing 
for Unified Messaging 
Anthony Vitnell 


EXC05: Lync and Exchange 
Integration 

Byron Spurlock 

EXC06: Outlook Web App 
Customization in Exchange Server 
2010 (Service Pack 1) 

William Lefkovics 

EXC07: Exchange Virtualized or 
Exchange Physical - Where Do I 
Put those Bits? 

Michael B. Smith 

EXC08: SSL Certificates and 
Exchange - The (Next) Final Word 
Michael B. Smith 

EXC09: Economics of Cloud 
Sourcing and what that Means 
to Your IT Team 

Jim McBee 

EXC10: Don't Fear the Exchange 
Management Shell 

Jim McBee 

EXC11: My Exchange Server Is 
on a Fault Line (Establishing an 
Exchange 2010 Disaster 
Recovery Site) 

Jim McBee 

EXC12: In-depth Message Tracking 
Using the Tracking Log 

Siegfried Jagott 

EXC13: Rich Coexistence of Office 
365 and Exchange 2010 

Siegfried Jagott 


EXC17: Defend Your Lync Edge 
Server from DoS Attacks, 
Brute-Force Password Attacks 
and Account Lockouts 

Rui Maximo 

EXC19: Lync Server 2010 Cloud 

Byron Spurlock 

EXC20: SharePoint Online and 
The Cloud. Forecasting Today and 
Tomorrow 
Randy Williams 

EXC21: Integrating SharePoint 
with Exchange: The What's, Why's 
and How's. 

Randy Williams 


UNIFIED COMMUNICATIONS 
AND LYNC 


EXC14: Lync Server 2010 - 
Integration with the Cisco 
Telephony Platform 

Anthony Vitnell 

EXC15: Lync Deployment Notes 
from the Field 

Byron Spurlock 

EXC16: I'm Not a PBX Guy. 

How do I Design and Deploy 
Lync Enterprise Voice? 

Anthony Vitnell 

EXC18: Configure Direct SIP with 
Lync Server and Skype Using 
Asterisk 
Rui Maximo 



Dr. Avril Salter Kimberly L. Tripp Michele Leroux Kathleen Dollard Julie Lerman 

Bustamante 


\Now^mi Umd/ieovi 
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SharePoint 

( -CONNECTIONS) SHAREPOINT SESSIONS 


MICROSOFT SESSIONS 

Developing Next Generation 
Windows Applications that Integrate 
with SharePoint 2010 

Migrating Your SharePoint 2010 
Applications to the Cloud using 
Windows Azure 

Virtualizing SharePoint 2010 
Applications within the Private Cloud 

Creating Business Intelligence 
Dashboards for SharePoint 2010 

Building and Deploying Amazing 
Internet Sites with SharePoint 2010 

Exploring the Social Side of 
SharePoint 2010: From Sites to 
Search and Beyond 

Customizing Office 365 and 
SharePoint Online Sites using 
SharePoint Designer 

Migrating from SharePoint 2007 to 
SharePoint 2010 


SHAREPOINT ADMINISTRATION 

HAD01: SharePoint 2010 
Search Overview 
Matthew McDermott 

HAD02: SharePoint 2010 
Search Phase 2: Solving Common 
Search Challenges 
Matthew McDermott 

HAD03: Enterprise Social 
Computing with SharePoint 2010 
Matthew McDermott 

HAD04: Building it Right the First 
Time; Best Practice SharePoint 
2010 Infrastructure Advice 
Michael Noel 

HAD05: Collaborating with 
Extranet Partners on 
SharePoint 2010 
Michael Noel 

HAD06: SharePoint 2010 r 
Exchange 2010 r and Lync 2010; 
Better Together 
Michael Noel 


HAD07: Auto-Provisioning of 
SharePoint Farms using Scripted 
Intelligence and Server Virtualization 
Michael Noel 

HAD08: Managing the 
SharePoint Disruption 
Dan Holme 

HAD09: Wish I'd Have Known 
That Sooner! SharePoint Insanity 
Demystified 
Dan Holme 

HAD10: Up and Running: Windows 
PowerShell for SharePoint 
Dan Holme 

HAD11: Up and Running: The 
Managed Metadata Service 
Dan Holme 

HAD12: Heavy Metal PowerPivot 
Jason Himmelstein 
Cornelius J. van Dyk 

HAD13: Time Is Money. 

How SharePoint Logging will 
Save You Both! 

Jason Himmelstein 
Cornelius J. van Dyk 


SHAREPOINT DEVELOPMENT 

HDEV01: How SharePoint Workflow 
Works ... and How it Breaks 
Robert Bogue 

HDEV02: Claiming to Get Forms- 
Based Authentication 
Robert Bogue 

HDEV03: SharePoint Guidance 
- Developing Applications - 
Foundation and Execution 
Robert Bogue 

HDEV04: Building Silverlight 
Applications for SharePoint 2010 
with MVVM 
Andrew Connell 

HDEV05: Creating and Using 
SharePoint 2010 Timer Jobs 
Andrew Connell 

HDEV06: SharePoint Ribbon 
Customization Deep Dive 
Andrew Connell 


HDEV07: Accelerated Introduction 
to JavaScript for SharePoint 
Developers 
Ted Pattison 

HDEV08: Accelerated Introduction 
to jQuery for SharePoint 
Developers 
Ted Pattison 

HDEV09: Developing SharePoint 
2010 Solutions with RESTful 
Services 
Ted Pattison 

HDEV10: What Happened to 
Explorer View? Creating Tree and 
Folder Views for SharePoint 2010 
Document Libraries 
Scot Hillier 

HDEV11: Custom File Upload 
Solutions for SharePoint 2010 
Scot Hillier 

HDEV12: Cubes, Scorecards, 
Charts, and Dashboards Start to 
Finish in SharePoint 2010 
Scot Hillier 


NO CODE SOLUTIONS 


HNC01: Make the Best Use of 
SharePoint Designer 2010 
Asif Rehmani 

HNC02: Create Custom Search 
Center Solutions without Code 
Matthew McDermott 

HNC03: Create SharePoint Library 
Forms Using InfoPath 2010 
Asif Rehmani 

HNC04: Human Workflow with 
Visio 2010 and SharePoint 
Designer 2010 
Jason Himmelstein 
Cornelius J. van Dyk 


OFFICE 365 


H0F01: The Evolution of the 
SharePoint Administrator 
Ben Curry 

H0F02: Migrating Processes and 
Content to Office 365 
Ben Curry 
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SQL SERVER SESSIONS 


MICROSOFT SESSIONS 

A lot of sessions for Microsoft 
"Denali" are under wraps, but 
they will be covering: 

Enterprise Database 
Administration and Deployment 

Database and Application 
Development 

Bl Platform Architecture, 
Development and Administration 

SQL Azure 

Check the website as we get closer 
to the show date for the Microsoft 
Day session titles and abstracts. 


SQL225: Follow the Rabbit: 
Wrap-up Q&A 
Paul Randal 
Kimberly L. Tripp 

SQL226: Understanding Bl 
Security Best Practices 

Stacia Misner 

SQL227: BLITZ! The SQL - More 
One Hour SQL Server Takeovers 

Brent Ozar 

SQL302: Parallelism and 
Performance: Are You Getting Full 
Return on Your CPU Investment? 

Adam Machanic 

SQL308: TempDB Best Practices 

Andrew Kelly 


SQL Server 

(CONNECTIO N~§) 


SQL317: Capturing and Analyzing 
Perfmon Data 

Andrew Kelly 


SQL318: Storage Triage: 
Troubleshooting Slow Servers 

Brent Ozar 


SQL320: T-SQL Bug or Feature? 
Itzik Ben-Gan 

SQL321: Troubleshooting Deadlocks 
in SQL Server 

Maciej Pilecki 

SQL323: What's Really Happening 
on Your Server? 15 Powerful SQL 
Server Dynamic Management 
Objects 

Adam Machanic 


SQL203: Reporting Services 
Foundations (Part 1) 

William R. Vaughn 

SQL206: Reporting Services 
Foundations (Part 2) 

William R. Vaughn 

SQL207: Precarious? Nefarious? 
Strategies that Work for 
Nonclustered Indexes! 

Kimberly L. Tripp 

SQL209: Managing Self-Service Bl 
in PowerPivot for SharePoint 

Stacia Misner 

SQL216: More DBA Mythbusters 
Paul Randal 


SQL310: Taking the Sting Out of 

Statistics 

Kimberly L. Tripp 

SQL312: Building a Bl Performance 
Monitoring Solution 

Stacia Misner 

SQL313: Filtered Indexes and 
Filtered Statistics: The Good, the 
Bad and the Ugly 

Kimberly L. Tripp 

SQL314: Best Practices for 
Securing SQL Agent 

Andrew Kelly 

SQL315: How StackOverflow Scales 
with SQL Server 
Brent Ozar 


SQL324: SQL Server Execution 
Plans - from Compilation to 
Caching to Reuse 

Maciej Pilecki 

SQL401: Query Tuning Tips - Part I 

Itzik Ben-Gan 

SQL404: Query Tuning Tips - Part II 

Itzik Ben-Gan 

SQL405: Query Tuning 
Mastery: The Art and Science of 
Manhandling Parallelism 

Adam Machanic 

SQL411: Understanding Microsoft 
SQL Server Memory Usage and 
Management 

Maciej Pilecki 



SQL419: Wait Statistics: Avoiding 
'Knee-Jerk' Performance Tuning 
Paul Randal 

SQL422: Advanced Recovery 

Technigues 

Paul Randal 


CHECK WEB SITE AS WE CONTINUE TO ADD MORE 
SESSIONS, SPEAKERS AND MAKE UPDATES 
WWW.WINCONNECTIONS.COM 
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WORKSHOPS 


PRE-PRE-CONFERENCE WORKSHOP | SUNDAY, OCTOBER 30, 2011 


WINDOWS Workshop I 9AM - 4PM | Additional Fee: $399 SQL Workshops | 9AM - 4PM I Additional Fee: $399 

WPR01: The Ultimate Windows 
Troubleshooting 
Hands-On Workshop 
(BRING YOUR OWN LAPTOP) 

Bruce MacKenzie-Low 




SPR201: The 
Foundations of a 
Healthy SQL Server 
Database 

Kimberly L. Tripp & 



PRE-CONFERENCE WORKSHOPS | MONDAY, OCTOBER 31, 2011 


EXCHANGE Workshop | 9AM-4PM | Additional Fee: $399 

EPR01: Preparing for 
Exchange 2010 

Tony Redmond & 

Paul Robichaux 




SQL Workshops | 9AM - 4PM | Additional Fee: $399 



SPR202: Collaborative Business 
Intelligence: Putting the Pieces Together 

Stacia Misner 


SPR303: Designing for Performance and 
Scalability 

Kimberly L. Tripp 


SHAREPOINT Workshops | 9AM-4PM | Additional Fee: $399 

HPR01: A Day's Walk with the 
SharePoint Shepherd 
Robert Bogue 


HPR02: Dan Holme's SharePoint 
Administration and Configuration 
Masterclass 
Dan Holme 


SHAREPOINT Workshop | 9AM-4PM | Additional Fee: $425 

HPR03: SharePoint Deep-Dive: Integrating SharePoint 
with the Cloud (HANDS-ON, BRING YOUR OWN LAPTOP) 

Microsoft 


WINDOWS Workshop 1 9AM-4PM | Additional Fee: $399 

WPR02: Running Your Active Directory 
with Windows Server 2008 R2 
Mark Minasi 




POST-CONFERENCE WORKSHOPS | FRIDAY, NOVEMBER 4, 2011 


WINDOWS Workshop | 9AM - 4PM | Additional Fee: $399 SHAREPOINT Workshop 1 9AM-4PM | Additional Fee: $399 



WPS01: Wireless for the IT 
Professional - Everything 
You Need to Know (Most of 
Which You're Doing Wrong) 
Mike Danseglio & 

Dr. Avril Salter 




HPS01: Developing 
Innovative SharePoint 
Applications with Ted 
and Andrew 
Andrew Connell & 

Ted Pattison 



SQL Workshop | 9AM - 4PM | Additional Fee: $399 


SPS401: Advanced T-SQL for SQL Server 
2008 and Denal 

Itzik Ben-Gan 



NOTE: LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS 
THE COST OF A WORKSHOP IS IN ADDITION 
TO THE REGULAR CONFERENCE FEE 
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Penton Media 

c/o Tech Conferences, Inc. 

731 Main Street, Suite C-3 
Monroe, CT 06468 

Mailroom: If addressee is no longer here, 
please route to MIS Manager or Training Director 


WINDOWS 
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OCTOBER 31-NOVEMBER 3 f 2011 
LAS VEGAS, NV 

MANDALAY BAY RESORT & CASINO 

THE 

CONVERSATION 
BEGINS :RE 


EARLY BIRD DISCOUNT! 

Register by September 1 and book a minimum of three nights 
at Mandalay Bay and you'll receive a $100 Mandalay Bay Gift 
Certifi cate and save $100 off the full conference registration 
price of $1495! 


REGISTER TODAY! www.WinConnections.com • 800.438.6720 • 203.400.6121 


COMPARATIVE REVIEW 


Hyper-V Server 2008 R2 

VS. 

£SX Server 4,1 

Enumerating the similarities and differences between two 
virtualization powerhouses 

by Michael Otey 


N o area in technology is changing faster than server 
virtualization. Since the last time we reviewed 
Microsoft Hyper-V Server 2008 R2 and VMware ESX 
Server, Microsoft has come out with the next release 
of its virtualization platform, Hyper-V Server 2008 
R2 with SP1, and VMware has released ESX Server 
4.1. Both platforms have continued to push the boundaries of 
virtualization by enhancing their feature sets as well as their per¬ 
formance and scalability. 

It should come as no surprise to learn that ESX Server 4.1 
remains the enterprise leader in the server virtualization mar¬ 
ketplace. However, according to this past year's Gartner study on 
virtualization, Hyper-V has seen growth of 127 percent over the 
past year. Skeptics might say this is because of Microsoft's much 
lower market share in the virtualization market, and this is partly 
true. However, Hyper-V has proven to be a competitive virtualiza¬ 
tion platform. In this article, I'll cover some of the most significant 
changes that have occurred in each platform and then highlight 
some important characteristics of, and differences between, 
Hyper-V Server 2008 R2 and ESX Server 4.1. 

The Latest Enhancements 

With SP1, Microsoft has added some significant new features to 
Hyper-V Server 2008 R2. The first and most important is Dynamic 
Memory. Dynamic Memory support lets you better use the avail¬ 
able memory on Hyper-V hosts by dynamically allocating host 
memory to meet the demands of the different virtual machine 
(VM) workloads that are running. As workloads decrease, memory 
is returned from the VM to the Hyper-V host. 

Another important new feature that Microsoft implemented 
with SP1 is RemoteFX. RemoteFX is designed to improve the 
end-user experience for Virtual Desktop Infrastructure (VDI) 
scenarios, and it enables 3D graphics, the Windows Aero UI, and 
rich streaming-media experiences in Windows 7 VMs by taking 
advantage of the graphics-processing power of a DirectX 10-com¬ 
patible video card on the Hyper-V Server machine. Microsoft 
also made several significant improvements to Hyper-V in the 
earlier release of Hyper-V Server 2008 R2, the most important of 
which was support for Live Migration. Up to that point, Hyper-V 
supported only Quick Migration. Live Migration is basically the 
equivalent to VMware VMotion, which allows running VMs to 


be moved between virtualization hosts with no downtime. Other 
important new features in the R2 release include support for Sec¬ 
ond Level Address Translation (SLAT), which provides improved 
VM performance and scalability and support for up to 64 logical 
processors on the Hyper-V host. You can find more information 
about the new features in Hyper-V 2008 R2 SP1 at www.microsoft 
.com/hyper-v-server/en/us/default.aspx. 

As for VMware, it has made substantial improvements since its 
vSphere 4.0 release. Some of the most important new features in 
the recent vSphere 4.1 release include the ability to boot ESXi from 
a SAN, improved Call Level Interface (CLI) options for trouble¬ 
shooting, and seamless user authentication with Active Directory 
(AD). Some of the main features from the previous vSphere 4.0 
release include the ability to hot-add RAM and CPU in a running 
VM; single-pane management for multiple vCenter servers by 
using Linked Server mode; the ability to manage multiple VMs as 
a unit using vApps; fault tolerance, which ensures zero downtime 
for two single-CPU VMs; support for shared memory between 
VMs; and support for thin virtual disk provisioning. You can find 
more details about the vSphere 4.1 release at www.vmware.com/ 
support/vsphere4/doc/vsp_41_new_feat.html. 

In future releases, VMware will move away from its ESX Server 
platform to its thinner vSphere Hypervisor (formerly ESXi). 
vSphere Hypervisor has a smaller footprint and no service con¬ 
sole, which makes it lighter and more secure. You can find more 
information about VMware's move to vSphere Hypervisor at www 
.vmware.com/products/vsphere/esxi-and-esx/index.html. 

Head-to-Head 

The capabilities that Hyper-V and by ESX Server offer are similar. 
Both offer high degrees of host and VM scalability, and both can 
provide excellent server consolidation by supporting up to 1TB of 
RAM and 64 cores on the virtualization hosts. For VM scalability, 
Hyper-V Server 2008 R2 supports VMs that have up to 64GB of RAM 
and four virtual CPUs. ESX Server 4.1 supports VMs that have up to 
255GB of RAM and four virtual CPUs. The Enterprise Plus edition 
of vSphere pushes the bar even higher by supporting up to eight 
virtual CPUs. Table 1 summarizes the primary specifications for 
Hyper-V Server 2008 R2 and VMware ESX Server 4.1. 

You can see in the table that, although there are differences 
in the two platforms, they are definitely comparable. Both are 
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| Table 1: Hypervisor features | 

1 Specifications 

Hyper-V Server 2008 R2 

vSphere 4.1 1 

Maximum host RAM 

1TB 

1TB 

Maximum VM RAM 

64GB 

255GB 

Maximum host cores 

64 

64 

Maximum vCPU 

4 

8 for Enterprise Plus; 4 for all 
other editions 

Maximum active VMs 

256 

256 

Maximum nodes per cluster 

16 

32 

Hot-add CPU toVM 

No 

Yes 

Hot-add RAM toVM 

Dynamic memory 

Yes 

VM migration 

Live Migration 

VMotion 

VM storage availability 

Not applicable 

Storage VMotion 


excellent for server consolidation, and both 
provide high degrees of scalability for VMs. 
In the Windows IT Pro labs, we ran a series 
of performance tests comparing these two 
platforms as a small or midsized business 
(SMB) might use them. 

In these tests, we used 10 active VMs 
per host and had 40 clients connected to 
each VM. The workload was a mix of file 
serving where some of the clients were 
reading and writing 135MB files to six of the 
VMs. The other four VMs were configured 
as database servers, and the clients were 
submitting a series of 27 different queries. 
Under this workload, the performance of 
the two virtualization platforms was very 
similar, with the VMware platform eking 
out a 2 percent overall advantage over 
Hyper-V. Remember that these tests were 
designed to assess the performance of 
each system under an equal load, so they 
would not be representative of your actual 
production workloads. 

Architecture 

Although Hyper-V Server 2008 R2 and 
vSphere have a lot of similarities, they have 
just as many differences. Perhaps one of 
the most important differences between 
Hyper-V Server 2008 R2 and ESX Server 4.1 
concerns the different philosophies behind 
the way the two platforms are positioned. 
VMware views virtualization as an exten¬ 
sion of the hardware, whereas Microsoft 
positions virtualization as a feature of the 
Windows Server OS. This difference is 
reflected in the architectures of the two 
platforms. You can see a high-level com¬ 
parison of the architectures of Hyper-V 
Server 2008 R2 and ESX Server in Figure 1. 


Both hypervisors are 64-bit. However, 
one of the biggest differences between the 
two products is the way they handle driv¬ 
ers. ESX Server implements the hardware 
device drivers as a part of the hypervisor. 
This makes for a larger hypervisor because 
the drivers are part of the hypervisor itself. 
This approach also adds third-party code 
to the hypervisor. Implementing the device 
drivers as a part of the hypervisor limits 
the hardware that ESX Server will run on 
because it can run only on servers where 
there are existing drivers. One advantage to 
this model is that the drivers are specifically 
tested by VMware for virtualization support. 

Hyper-V uses the device drivers from 
the parent partition, outside the hypervi¬ 
sor. Guest VMs run in the child partitions. 
This allows the Hyper-V hypervisor to be 
very small, and it contains no third-party 
code. This approach leverages the Windows 
driver model, allowing Hyper-V to run on a 
wide variety of hardware. However, it also 
places a dependence on the parent parti¬ 
tion, and the drivers aren't designed specifi¬ 
cally to support virtualization. 


Guest OS Support 

Another big difference between Hyper-V 
Server 2008 R2 and ESX Server 4.1 lies in the 
products' support of guest OSs. ESX Server 
is a more mature product, and VMware 
supports a wide variety of guest OSs. ESX 
Server 4.1 supports all the Windows Server 
OSs and most of the popular Linux distri¬ 
butions. Table 2 shows the list of guest OSs 
that are supported by ESX Server. You can 
see a complete list of the guest OSs that are 
supported by ESX Server at www.vmware 
.com/pdf/GuestOS_guide.pdf. 

As you might expect, the list of sup¬ 
ported guest OSs for Hyper-V includes all 
the recent Windows OSs, but few others. 
Table 3 shows the list of guest OSs that 
are supported by Hyper-V. This list basi¬ 
cally includes all Windows Server OSs, 
plus SUSE and Red Hat Linux. This Linux 
implementation is also limited to a single 
virtual CPU. This falls far short of the Linux 
support offered by ESX Server. 

Microsoft has made the code for the 
Linux Hyper-V Integration components 
available as open source, but the com¬ 
pany has left the adoption of this code to 
other vendors. You can find more infor¬ 
mation about the guest OSs supported by 
Hyper-V Server 2008 R2 at www.microsoft 
.com/windowsserver2008/en/us/hyperv- 
supported-guest-os.aspx. 

Editions and Licensing 

Microsoft delivers Hyper-V in two ways: 
as a role in Windows Server 2008 R2 or as 
the free standalone Hyper-V Server 2008 
R2. As part of the Server 2008 OS, Hyper-V 
is essentially free to organizations that are 
running Server 2008. Hyper-V is included 
in the following editions of Server 2008 
R2: 


ESX Server 3.5 


VM 1 

VM2 

VM 3 

(“Admin") 




Hypervisor 

Drivers 


Hardware 


Hyper-V 


VM 1 
(“Parent”) 

Drivers 


VM2 

(“Child”) 

VM 3 
(“Child”) 



Hypervisor 


Hardware 


Figure 1: Comparing VMware and Hyper-V architectures 
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1 Table 2: ESX Server-supported guest OSs 1 

Windows Server 2008 Standard Edition (x64, x86) 

Windows Vista Home Premium (x64,x86) 

Windows Server 2008 Enterprise Edition (x64, x86) 

Windows Vista Home Basic (x64, x86) 

Windows Server 2008 Datacenter Edition (x64, x86) 

Windows XP Professional (x64, x86) 

Windows Web Server 2008 (x64, x32) 

Windows NT Server 4.0 

Windows Server 2003 Standard Edition (x64, x86) 

CentOS 5.0 

Windows Server 2003 Enterprise Edition (x64, x86) 

Red Hat Enterprise Linux 5,4, 3, and 2.1 

Windows Server 2003 Datacenter Edition (x64, x86) 

Red Hat Linux 9, 8, 7.3, and 7.2 

Windows Server 2003 Web Edition (x86) 

SUSE Linux Enterprise Server 10, 9, and 8 

Windows 2000 Server 

SUSE Linux 9.3, 9.2, 9.1, 9.0, and 8.2 

Windows 2000 Advanced Server 

Ubuntu 8.04, 7.10, and 7.04 

Windows Vista Business (x64, x86) 

FreeBSD 4.11,4.10, and 4.9 

Windows Vista Enterprise (x64, x86) 

Netware 6.5,6.0, and 5.1 

Windows Vista Ultimate (x64, x86) 

Solaris 10 (x86) 


• Windows Server 2008 R2 Standard 
Edition 

• Windows Server 2008 R2 Enterprise 
Edition 

• Windows Server R2 Datacenter Edition 

Hyper-V Server 2008 R2 supports most 
of the same features as the Hyper-V role 
in Server 2008 R2. It supports 32GB or 
host RAM and VMs that have up to four 
vCPUs. It also supports failover cluster¬ 
ing and live migration. You can down¬ 
load Hyper-V 2008 R2 Server at www 
.microsoft.com/downloads/en/details 
.aspx?familyid=48359dd2-lc3d-4506-ae0a- 
232d0314ccf6&displaylang=en. You can 
get more information about the specific 
differences between Hyper-v Server 20008 
R2 and the Hyper-V role in Server 2008 R2 
atwww.microsoft.com/hyper-v-server/en/ 
us/default, aspx. 

Like Hyper-V, ESX Server is delivered 
in two different offerings. First, ESX Server 
4.1 is provided as part of all the differ¬ 
ent vSphere editions, including vSphere 
Standard, vSphere Advanced, vSphere 
Enterprise, and vSphere Enterprise Plus. 
VMware vSphere is licensed per processor, 
and the different editions include different 
feature sets. The vSphere Standard edition 
is the most basic edition. Building on that, 
the Advanced edition adds the ability to 
hot-add CPUs and adds fault tolerance. 
The Enterprise edition adds Storage VMo- 
tion, Distributed Resource Scheduling, 
and Distributed Power Management. The 
Enterprise Plus Edition adds eight-way 
vCPUs and Distributed Switch capabilities. 


VMware's added licensing costs make it 
a more expensive option than Hyper-V. 
However, it also provides a richer feature 
set. You can see a fuller summary of the 
different features in each edition at www 
.vmware.com/vmwarestore/vsphere_pur- 
chaseoptions.html. 

VMware also provides a free version 
of its hypervisor. The free version was 
formerly known as ESXi, but it has been 
renamed vSphere Hypervisor. vSphere 
Hypervisor is full-featured, and its support 
for the advanced features in the upper edi¬ 
tions of the vSphere suite can be unlocked 
with a licensing key. You can download 
the free vSphere Hypervisor from www 
.vmware.com/products/vsphere-hypervi- 
sor/overview.html. 

One of the most important consider¬ 
ations in virtualization is licensing, and 
Microsoft provides some benefits for run¬ 
ning Windows Server in a virtual environ¬ 
ment. Server 2008 R2 Standard Edition 
allows for one additional virtual Win¬ 
dows Server instance to run with no extra 


licensing. The Server 2008 R2 Enterprise 
Edition license allows up to four addi¬ 
tional virtual Windows Server instances to 
be active. The Server 2008 R2 Datacenter 
license allows for an unlimited number 
of virtual Windows Server instances. This 
licensing applies to any type of virtualiza¬ 
tion platform, including ESX Server. For 
example, on the VMware platform, you 
can license an instance of Server 2008 R2 
Datacenter running as a VM on ESX Server, 
and that license covers all active instances 
of Windows Server on that ESX server. 

Management 

On the management side, VMware vSphere 
Client continues to stand head and shoul¬ 
ders above the much more basic Hyper-V 
Manager from Microsoft. Hyper-V Manager 
lets you manage the VM on one or more 
Hyper-V servers. You can create VMs and 
control them, you can create Virtual LANs 
(VLANs) by using the new virtual switch¬ 
ing feature, you can automatically set up 
VM start and stop attributes, and you can 
set VM resource allocations. The Hyper-V 
Manager is functional, but it doesn't pro¬ 
vide any of the advanced features, such 
as performance monitoring, that vSphere 
Client provides. 

Although the Hyper-V Manager is the 
built-in management program for Hyper- 
V, it's definitely not Microsoft's premier 
virtualization management product—that 
is System Center Virtual Machine Manager 
2008 R2. SCVMM 2008 R2 is part of System 
Center Enterprise Suite. Note that System 
Center Enterprise Suite is not free. There 
is an Enterprise edition that is licensed 
for $569 and a Datacenter edition that is 
licensed for $2,620. 

System Center Enterprise Suite is 
designed to manage both your physical and 


1 Table 3: Hyper-V supported guest OSs 1 

Windows Server 2008 Standard (x64, x86) 

Windows 2000 Server 

Windows Server 2008 Enterprise (x64, x86) 

Windows 2000 Advanced Server 

Windows Server 2008 Datacenter (x64, x86) 

Windows HPC Server 2008 

Windows Web Server 2008 (x64) 

Windows Vista Business (x64, x86) 

Windows Server 2003 Standard (x64, x86) 

Windows Vista Enterprise (x64, x86) 

Windows Server 2003 Enterprise (x64, x86) 

Windows Vista Ultimate (x64, x86) 

Windows Server 2003 Datacenter (x64, x86) 

Windows XP Professional (x64, x86) 

Windows Server 2003 Web Edition (x86) 

Windows HPC Server 2008 

Red Hat Enterprise Linux (RHEL) 5.5,5.4,5.3, and 5.2 

SUSE Linux Enterprise Server 10 (x64, x86) 
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P R 0 D U C T S 


■ HYPER-V VS. ESX SERVER 


1 Table 4: Hyper-V and ESX Server summary 1 

Hyper-V Server 2008 R2 

ESX Server 4.1 

Less expense 

No reliance on Windows 

Broader hardware support 

Broader guest support 

Excellent performance 

The best performance 

Smaller hypervisor and larger platform 

Bigger hypervisor and smaller platform 


Better scalability and manageability for 
larger business 


virtual infrastructure as a single entity. Sys¬ 
tem Center Operations Manager (SCOM) 
provides end-to-end monitoring for servers 
and applications, including VMs. System 
Center Data Protection Manager enables 
you to back up your servers and appli¬ 
cations. SCVMM 2008 R2 provides a full 
range of virtualization management tools 
including templates, self-service provision¬ 
ing, and administrative delegation. And, 
when SCVMM 2008 R2 is used in conjunc¬ 
tion with SCOM, it can form the basis for 
dynamic systems management. Microsoft 
is planning a huge update to SCVMM in the 
second half of 2011. You can see SCVMM 
2008 R2 in Figure 2. 

VMware's vSphere Client offers a full- 
featured and functional interface that lets 
you manage multiple VMware VMs for a 
single ESX Server host. It goes far beyond 


Cost-effective for SMBs 

the capabilities provided by Hyper-V Man¬ 
ager. You can create and control VMs and 
control several host settings such as the 
configuration of virtual switches, the host 
time synchronization, the DNS server, and 
VM automatic start and stop actions. Addi¬ 
tionally, you can use the vSphere Client 
to set up users and groups along with 
their associated permissions. One of the 
best features of the vSphere Client is its 


ability to track performance information 
at both the host and VM levels. It provides 
a storage summary as well as information 
about CPU, memory, network, and disk 
usage. Centralized management is pro¬ 
vided through VMware vCenter Server. The 
capabilities provided by the vSphere Client 
vary according to whether the vCenter 
Server is installed. You can see the vSphere 
Client interface in Figure 3. 



Figure 2: Microsoft SCVMM 



Figure 3: VMware's vSphere Client 


Pros and Cons 

There's no doubt that Hyper-V is evolving 
quickly and that it is a perfectly adequate 
solution for most SMBs. That said, there's 
also no doubt that the maturity of vSphere 
continues to make it the market leader, 
based on its market share and on the 
advanced features that are supported by 
the product. You can see a summary of the 
pros and cons of Hyper-V Server 2008 R2 
and ESX Server 4.1 in Table 4. 

A Foundation for the Cloud 

Virtualization has proven to be a critical 
platform for increasing return on invest¬ 
ment (ROI) through server consolidation 
and by improving availability through 
technologies such as Live Migration and 
VMotion. Although many companies are 
still in the process of implementing virtual¬ 
ization for these reasons, companies such 
as Microsoft and VMware are working to 
position virtualization as the basis for the 
cloud—that is, both the private cloud and 
the public cloud. ^ 
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The State of 


How the cloud 
has emerged 
as a valid 
enterprise 
backup solution 

by Jeff James 


Cloud Backup 


R egular backup of important files and data can be the bane of many IT professionals. It's 
like filing your tax return every year: You don't like to do it, the experience is hardly ever a 
positive one, and even thinking about the topic can give you a serious case of indigestion. 
Some solutions are better than others, but I think most readers would agree that the less 
obtrusive, more automated, and more reliable backups are, the better. 

With all the recent buzz about cloud computing, it was inevitable that talk would even¬ 
tually turn to using the cloud for backup. Although the mere mention of the phrase “cloud computing" 
might cause some IT pros to say “Here we go again...," the basic concept of backing up important data 
and moving it to a separate location from a primary office has been a valid data insurance policy for 
decades. Hosted backup providers have been around just as long, offering a valuable (and needed) 
extra layer of protection for local backups. 


Backup and the Cloud 

There are a variety of reasons why cloud backup might be a suitable solution for your organization, and it's 
clear that the demand for these services is increasing. According to a recent survey by Forrester Research, 
only 5 percent of small-to-midsized businesses (SMBs) currently use online backup services, remote 
backup, or cloud backup services—but that number is expected to explode over the next few years. 

That same survey revealed that 38 percent of participants plan to use backup services within 2 years, 
which is a growth rate of660 percent. Part of that increased willingness to back up files and data to the cloud 
is being driven by consumer adoption of online backup services such as Mozy, Crashplan, and Carbonite. 
Millions of people are already using cloud-based file storage in the form of Windows Live SkyDrive, 
DropBox, Amazon Cloud Drive, and the various storage options for Google Docs, Google Picasa, and other 
Google services. Apple's recent iCloud announcements also point to even more consumer acceptance and 
awareness of the cloud. So the idea of backup and file storage in the cloud isn't new—everyone reading this 
article is probably already using at least one of the cloud-based services I mentioned. 

Enterprise software vendors are now offering cloud backup services as well. CA recently announced 
that it was offering cloud backup via Windows Azure. Symantec's Backup Exec.cloud is in beta and should 
be available for licensing by the end of 2011. Gartner research director Adam Couture specializes in 
covering the enterprise backup market, and he says that major players such as Seagate's i365, Barracuda 
Backup Service, IBM SmartCloud Managed Backup, and Terremark's Backup and Restore—although not 
technically cloud backup providers—are major backup players in the existing hosted backup market and 
will likely enter the cloud backup fray as well. 

Couture also points out that there are many smaller backup providers that currently offer hosted 
backup services to customers. “There are literally hundreds of service providers that license some other 
vendor's backup software and technology—such as backup software providers Asigra, Terremark, and 
HP—and create a small business around it," Couture says. “There are only about 10 distinct backup soft¬ 
ware technologies out there, but there are hundreds of providers that use them." 

One of the largest of those providers is Asigra, whose Asigra Cloud Backup software is offered by 
third-party managed service providers (MSPs). Asigra announced earlier this year that more than 400,000 
customer sites were using Asigra Cloud Backup software provided by Asigra MSPs. 

One of those Asigra MSPs is Backup My Info! (BUMI), a small backup services provider that special¬ 
izes in providing backup services to customers in the northeastern United States, primarily in the tri-state 
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area. BUMI (reviewed on page 56) has found 
success as a backup provider specifically for 
financial services, banks, hedge funds, law 
offices, real estate, and non-profit organiza¬ 
tions. “We're looking to develop closer rela¬ 
tionships with our backup clients,” says BUMI 
CEO Jennifer Walzer. “We're hoping to be that 
valued partner/advisor that customers turn 
to when they want to use an external backup 
provider. We're looking to be an extension of 
their own internal IT resources." 

Asigra Executive Vice President Eran 
Farajun commends Walzer's approach to 
providing backup services and suggests that 
cloud backup MSPs such as Walzer's BUMI 
need to be aware of the misconceptions that 
some users have about cloud backup. “The 
cloud is a new technology and has some 
widely publicized failures, but the cloud 
will eventually mature enough to be treated 
just like other widely used infrastructure 
services," says Farajun. “[Failure] occasion¬ 
ally happens, such as power outages, phone 
lines going dead, and roads being blocked 
with accidents. Overall, the cloud can be 
extremely reliable, but even the most reliable 
systems fail infrequently." 

Choosing a Cloud Backup Solution 

When evaluating cloud backup solution 
providers, there are several important points 
to consider in making your selection. The 
following are some valuable cloud backup 
deployment tips, tricks, and advice that any 
IT manager considering a cloud backup 
solution would be wise to consider. 

Experience counts. As Gartner's Couture 
points out, backup providers run the gamut 
from large, global corporations to one-man 
operations with limited resources and rock- 
bottom pricing. “Any teenage programmer 
can put together a few lines of code, lever¬ 
age Amazon's public cloud, and start selling 
cloud backup services," says Couture. Look 
for backup providers with a few years of 
experience under their belt and the ability 
to handle all of your backup needs. 

Redundancy matters. BUMI's Walzer 
stresses that it's wise to require that cloud 
backup providers—in addition to having 
your data offsite in a cloud backup facility— 
support and, ideally, offer the option to 
back up files locally (out of the cloud). “It's 
really the best of both worlds," says Walzer. 
“Having both a cloud and local backup 
means that you're planning for failure and 


can get your business up and running in the 
event of a cloud or local backup failure." 

24 x 7 support. As any experienced IT 
pro can attest, system failures and network 
meltdowns seldom happen at ideal times, 
which means you might need to get in touch 
with a backup vendor at odd or unusual 
hours, including holidays, weekends, and 
the wee hours of the morning. Cloud backup 
providers that provide 24 x 7 support 365 
days of the year are essential if your organi¬ 
zation requires continuous uptime. 

Trust in SLAs. The service level agree¬ 
ment (SLA) you have with your cloud 
backup vendor outlines what you and the 
vendor are individually responsible for, and 
it spells out what the consequences are for 
the vendor if the company doesn't live up 
to its end of the agreement. “Some provid¬ 
ers price their services very low," Walzer 
says. “You often get what you pay for in this 
situation, and many of these lower-priced 
providers have very weak recovery options. 
You need an SLA with teeth: The provider 
should know that not delivering on their 
promises will have very real and expensive 
ramifications for them." 

Transportability. A concern of IT pros 
is getting their data locked into a cloud 
provider, only to have the provider go out 
of business or be acquired by a larger 
provider—or any number of other situa¬ 
tions that take the data out of the IT pro's 
hands. Making sure your data can be easily 
transferred to another provider is a must. 
You might also want to explore the concept 
of software escrow agreements, which could 
give you access to the source code of any 
custom software used to access your data. 

Security and encryption. Make sure the 
cloud backup vendor you choose supports 
the level of security and encryption you 
need to keep your data secure and remain 
in compliance with any third-party regula¬ 
tions you need to follow. For example, if 
you need to remain in compliance with the 
Federal Information Processing Standard 
(FIPS) Publication 140-2—aka FIPS 140-2— 
for security accreditation, you'll want to 
make sure that your vendor supports it as 
well. Ensure that data is encrypted at-rest 
and in-flight (if necessary), and make sure 
any specific security, auditing, and com¬ 
pliance needs are communicated clearly 
to the provider (and added to your SLA, if 
necessary). 


Get references and consider niche pro¬ 
viders. “It's best to get references from cus¬ 
tomers that are in your industry segment," 
Faragun says. “Big logos don't mean any¬ 
thing, nor does the relative size of the ven¬ 
dor. You may want to pursue vendors who 
get good references from your own industry 
(e.g., banking, manufacturing), as they will 
probably be more knowledgeable about the 
specific needs for your industry." 

Cloudy, with a Chance of Change 

Pressures on cloud backup vendors are 
coming from cheap providers that leverage 
low-cost software and use Amazon's public 
cloud infrastructure. This price pressure 
led Iron Mountain to abandon the cloud 
backup business and forced EMC to drop its 
Atmos product service. 

“Cloud [backup] will become a part of 
the mobile experience as well, and replace 
existing methods of doing business," says 
Farajun. “We already have data in the cloud, 
and data will [increasingly proliferate] on 
mobile devices as well. Cloud backup will 
extend to cover those devices also." 

Farajun also believes that cloud backup 
will become a standard feature of many 
applications, with increased usability thanks 
to a high degree of integration. Users consis¬ 
tently access a file menu within applications 
to save their work, and Farajun believes mak¬ 
ing quick backups in the cloud will become 
just as easy. Apple's recent announcements 
about iCloud seem to validate Farajun's 
claims and point to a more seamless and 
integrated approach to cloud use in the 
future. “Remember all the attention that 
was paid to the BIOS (Basic Input/Output 
System) of a PC in the mid- 1980s? Eventually 
that complexity was obscured and hidden 
from the user," Farajun says. “Backup is often 
a painful process, like doing exercise. Every 
IT manager knows they must do backups, 
but doing them manually is a pain. It has to 
become more automated." ^ 

InstantDoc ID 129567 



Jeff James 

(jjames@windowsitpro.com) is 
industry news analyst for Windows 
IT Pro. He was previously editor 
in chief of Microsoft TechNet 
magazine, was an editorial 
director at the LEGO Company, 
and has more than 15 years of 
experience as a technology writer 
and journalist. 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


AUGUST 201 1 63 





DISCOVER WINDOWS IT PRO VIP 


Windows IT Pro VIP is the perfect tool for the IT pro who knows that 
15 minutes searching the Web is costing more than just time. 



WINDOWS IT PRO is: 


1. Educational — FREE eLearning courses and eBooks to keep your skills sharp 

2. Deep—over 41,000 articles on DVD and online, some exclusively for VIP members 

3. Broad —all the articles, solutions, and FAQs ever published in: 

Windows IT Pro 
SQL Server Magazine 
SharePointPro Connections 
DevProConn ectio n s 

4. Reliable—every solution has been road-tested by our experts 

5. Impartial—with technical editors who are shaping the industry 

6. Economical—more than $1,000 of resources for less than $17* a month 


Upgrade to VIP at windowsitpro.com/go/vip 


* Rates vary outside the U.5. 























BUYER’S GUIDE 


Antivirus Software 

Price should be your last consideration, not your first 

by David Chernicoff and Blair Greenwood 


A ntivirus software is one of the most important applica¬ 
tions that IT installs on users' computers. Too many 
threats exist in a Windows environment to not imme¬ 
diately equip any computer that can connect to the 
outside world (even if only indirectly) with the tools 
necessary to automate that computer's defense from 
the myriad of attacks to which it will likely be exposed. 

The proactive—and for good reason, slightly paranoid—IT 
professional who is responsible for securing systems from viruses, 
malware, Trojans, and other sorts of external attack understands 
that providing the right level of security requires a layered 
approach and that relying on a single approach to protection also 
leaves systems with a single point of failure. Regardless of perim¬ 
eter security and virus scanning, systems administrators should 
also equip client computers with antivirus software. 

Howto choose this software is a function of the computer's role, 
the level of security required, and the effect the software will have 
on everyday user operation. These criteria can be applied only 
after IT has already winnowed down the selection from a large 
number of antivirus products that range from relatively simple 
antivirus solutions aimed at the corporate desktop to complete 
suites of system security software that go far beyond simple end¬ 
point antivirus protection and offer an entire range of additional 
capabilities. 

The days are long past when you could decide on an antivirus 
solution based on its basic threat detection and protection capa¬ 
bilities. Every major vendor offers some form of protection from 
every typical style of attack, giving users the ability to perform 
real-time background scans of files that they interact with. For 
example, client-side software goes so far these days as to not only 
scan inbound software for potentially harmful content but also 
scan outbound messages, in case the system does get infected, to 
prevent a compromised system from becoming an internal attack 
vector. 

This additional protection is great from an IT perspective, 
as long as it doesn't interfere with user productivity. Therefore, 
evaluating a product's performance hit or memory overhead is 
important, especially because few enterprises have all the latest 
and greatest client hardware. The performance and security issues 
of a 5-year-old system running Windows XP are far different than 
those of a properly configured Windows 7 configuration running 
on current hardware. All the major antivirus vendors support every 
OS configuration from XP to Windows 7, so that's unlikely to be a 
decision point. 

Beyond the programs' basic capabilities, how can you decide 
which software to use? Cost is always an issue for IT, but this is defi¬ 
nitely a case in which being penny-wise can be pound-foolish. With 
antivirus software, only after you've determined that all other critical 


components are equivalent should you base a decision solely on 
cost. Your primary considerations should include the following. 

How often are virus definitions updated? Many vendors update 
their virus signature files quite often, taking an aggressive approach 
to limiting their clients' exposure. How often do you want your 
client systems to update when there isn't an outbreak in the wild 
as opposed to a maintenance update? Are you able to control the 
update process? Do clients need direct Internet access to update, or 
can you run a local updater service? Can IT force clients to update? 
How much control does IT get over the update process? 

How quickly does the vendor respond? Historically, how long 
has it taken the vendor to update the product after new viruses 
were found in the wild? How does the vendor alert the user (or IT) 
to this occurrence and let them know that a patch is necessary, 
rather than just a simple maintenance update? 

Does the program include extra features that you want? 
Do you want a program that includes web browser security (e.g., 
one that takes control over browser settings and locks down the 
configuration)? Vendor offerings range from standalone antivirus 
to complete endpoint security packages. Your business model will 
likely put you somewhere between these two extremes for actual 
need—but does the product have additional features that will 
improve user security at little or no extra cost? 

Does the product fit into your production environment? 
Does it interact properly with all your standard and custom busi¬ 
ness applications? Is its behavior consistent and reliable when 
used on your network? Does the program allow IT to control and 
manage how it works and make sure that it's functional and prop¬ 
erly updated? If you have an existing Internet security solution 
in place, for example, does the antivirus solution work properly 
within the scope of that existing security model? 

How much end user interaction is required? The solution 
you select should have clear-cut and easily understood alerts that 
are configurable by IT. A product that gives the same warning to 
the user when it finds a benign tracking cookie and a dangerous 
virus is likely to confuse users and generate increased calls to IT. 
The right solution will reduce the need for IT hand-holding of end 
users faced with potential virus threats. 

When all these factors are considered and evaluated—that 
is, thoroughly tested before potential deployment—it's time to 
consider price. Prices range from perpetual per-seat licensing to 
annually subscribed full-site single-price models. Depending on 
the size of your enterprise, different vendors might fit your budget 
more closely. When you make price the final decision point, rather 
than a primary concern, you'll know that you have the right tool for 
the job. For a summary of antivirus software products and features, 
see the Buyer's Guide table. ^ 
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Company 

Product 

Price 

Supported OSs 

Real-Time 

Scanning 

Signature 

Protection 

Blacklist/ 

Whitelist 

Protection 

Heuristic 

Modeling 

Protection 

File Cleaning 
Protection 

File 

Quarantine 

Capabilities 

Automatic/ 

Manual 

On-Demand 

Scanning 

Capabilities 

Bit9 

617-393-7400 

www.bit9.com 

Bit9 Parity 
Suite 

$32 per 
user, 

perpetual 

license 

Windows 7, 
Windows Vista, 
Windows XP 

Yes 

No 

Yes/Yes 

No 

No 

Yes 

Yes/No 

ESET 

866-343-3738 

www.eset.com 

ESETNOD32 
Antivirus 4 
Business 
Edition 

$23.99 for 

25 to 50 
seats 

Windows 7, 

Vista, XP 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes/Yes 


ESET Smart 
Security 4 
Business 
Edition 

$29.99 for 

25 to 50 

seats 

Windows 7, 

Vista, XP 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes/Yes 

GFI Software 

888-243-4329 

www.gfi.com 

VIPRE 

Antivirus 

Business 

Contact 

vendor 

Windows 7, 

Vista, XP 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Kaspersky Lab 

866-328-5700 

www.kaspersky 

.com 

Kaspersky 
Open Space 
Security 

Contact 

vendor 

Windows 7, 

Vista, XP 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes/No 

Panda Security 

877-263-3881 

www.panda 

security.com 

Panda Cloud 
Protection 

Contact 

vendor 

Windows 7, 

Vista, XP 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Sophos 

866-866-2802 

www.sophos 

.com 

Sophos 
Endpoint 
Security 
and Data 
Protection 

9.7 

From $18.50 
to $35.50 
per user, 
depending 
on number 
of seats 

Windows 7, 

Vista, XP 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes/No 


Sophos 

Security 

Suite 

From $53.50 
per user for 

1 year 

Windows 7, 

Vista, XP 

Yes 

Yes 

No/No 

Yes 

Yes 

Yes 

Yes/Yes 

Symantec 

800-745-6054 

www.symantec 

.com 

Symantec 

Endpoint 

Protection 

Contact 

vendor 

Windows 7, 

Vista, XP 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Trend Micro 

877-218-7363 
www. trend 
micro.com 

OfficeScan 

10.5 

$20 per user 
over 1,000 

users 

Windows 7, 

Vista, XP 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes/Yes 


Editor's Note: Some vendors you might expect to see in this Buyer's Guide said they didn't have a product that exactly matched the 
criteria or didn't respond to our requests for information about their products. 
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Supported 

Browsers 

Identity 

Protection 

Phishing 

Protection 

Inbound/ 
Outbound 
Email Scan 
Functionality 

Instant 

Messaging 

Protection 

File 

Share 

Scan 

Func¬ 

tionality 

Automated 
USB Device 
Scan Func¬ 
tionality 

Active 

Directory 

Support 

Group 

Policy 

Support 

Remote 

Management/ 

Deployment 

Automatic/ 

Manual 

Updates 

Scheduled 

Updates 


IE, Firefox, 
Safari, 

Opera, 

Chrome 

Yes 

Yes 

No/No 

Yes 

No 

No 

Yes 

Yes 

Yes/Yes 

Yes/Yes 

Yes 


IE, Fi refox, 
Safari, 

Opera, 

Chrome 

No 

No 

Yes/Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes/Yes 

Yes 


IE, Fi refox, 
Safari, 

Opera, 

Chrome 

No 

No 

Yes/Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes/Yes 

Yes 


IE, Fi refox, 
Safari, 

Opera, 

Chrome 

No 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes/Yes 

Yes 


IE, Fi refox, 
Safari, 

Opera, 

Chrome 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes/Yes 

Yes 


IE, Fi refox, 
Chrome 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes/Yes 

Yes 


IE, Fi refox, 
Safari, 

Opera, 

Chrome 

No 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes/No 

Yes 


IE, Fi refox, 
Safari, 

Opera, 

Chrome 

No 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

No 

No 

Yes/Yes 

Yes/Yes 

Yes 


IE, Fi refox, 
Safari, 

Opera, 

Chrome 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes/Yes 

Yes 


IE, Fi refox, 
Safari, 

Opera, 

Chrome 

Yes 

Yes 

Yes/No 

No 

Yes 

Yes 

Yes 

Yes 

Yes/Yes 

Yes/Yes 

Yes 
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Prime 

Your 

Mind 

with Resources from Left-Brain.com 


Left-Brain.com is the online superstore stocked with 
educational, training, and career-development materials 
focused on meeting the needs of IT professionals like you. 



Featured Product: 

VMware vSphere Training 

VMware vSphere Training courseware is appropriate for both new 
VMware administrators and those who are preparing for the VCP 
certification. Besides completely covering how to administer a VMware 
infrastructure, this course also reviews third-party solutions that are 
widely used by the virtualization community. Find out more about this 
course and other virtualization resources at Left-Brain.com 


windowsitpro.com/go/left-brain/vsphere 


*Plus shipping and applicable tax. 



www.left-brain.com 


Windows IT Pro 












INDUSTRY BYTES 


■ Deployment ■ Mobile ■ Security 


INSIGHTS FROM THE INDUSTRY 


Staying Current and Avoiding the Double Bounce 


Recently I encountered a situation 
with a client who wanted to upgrade a 
critical piece of software present in their 
infrastructure. 

It was a classic, thick client/server 
accounting application utilizing SQL 
Server on the backend. The organization 
considered this to be a legacy application, 
albeit one that was still key and in heavy 
use, but only within one department of a 
half-dozen people. 

The client wanted to upgrade to the 
latest version of the application to take 
advantage of new features that the vendor 
had introduced in their latest release. They 
were also getting ready to do a hardware 
refresh with a switch from Windows XP to 
Windows 7. 

There were several problems that I had 
to tackle alongside their in-house IT team: 

1. The installed version of the applica¬ 
tion was two versions behind the current 
version. 

2. The current version was itself sched¬ 
uled to be replaced by a newer version 
within three months. 

3. The installed version only ran 
against SQL Server 2000. 

4. The current version only ran against 
SQL Server 2005 or 2008. 

5. The installed version ran on Win¬ 
dows 7, but not without breaking a feature 
that required a cumbersome workaround. 

6. The new features the client wanted 
were present in the current version, but 
they wanted to go with the "within three 
months" version. 

7. There was no direct upgrade path 
from the installed version to the "within 
three months" version. 

8. There was a direct upgrade path 
from the installed version to the current 
version, thankfully. 

9. No support contract or software 
maintenance agreement was in place with 


the vendor. In fact, the product had been 
bought out by another vendor! 

The last item was the most surprising 
until I found out the reasoning. It was 
simply because this piece of software 
got lost within the organization. After a 
series of mergers and acquisitions, the 
department that used the application 
continued to do so without any issues. 


Any issues they encountered were minor 
and they were always able to get their 
work done. IT had performed software 
inventory audits periodically, but errone¬ 
ously indicated that a newer version was 
installed. 

Most of you who have been IT pros 
for awhile can see where this is going 
and are likely forming an upgrade path in 
your head already. That path includes a 
dreaded "double bounce" upgrade, from 
the installed version to an interim "current" 
version before landing on the final "within 
three months"desired version. Oh, and 
don't forget about migrating the database 
from SQL Server 2000 to 2008 alongside 
upgrading the thick client software on the 
desktop machines while the folks there 
are getting used to the new features and 
interface changes. 

This sounds like an awful amount of 
work wrought with plenty of potential 
pitfalls. It would certainly be simpler to 
not do anything. Remember, the original 
application was running just fine, thank 
you very much. 


After completing the work, I suggested 
to the client that we try to plan ahead so as 
to not be caught off-guard later on. I sug¬ 
gested that, with us on version X, when the 
vendor releases version Y, we take notice 
and spend some time examining what 
would be involved with moving to that 
version if desired. Then, when the vendor 
releases version Z, we plan to at least move 
to version Y to stay reasonably current. 


It can be quite a challenge to follow 
a policy like this. IT teams are often over¬ 
whelmed with keeping pace with just their 
key vendors, let alone the smaller ones 
that supply an application used by only a 
few people. It can also be difficult to get a 
defined support policy from some vendors, 
especially smaller ones. 

However, at some point in everyone's 
IT career, you will have to do an upgrade 
to a piece of software in a situation similar 
to this one. Try to avoid this. Try to stay 
reasonably current. It will save you from 
working long weekend hours, or at least 
cut down on them! 

Be sure to check out my new blog, 
Technologist in the Trenches, at 
www.windowsitpro.com/blogcontent/ 
technologist-in-the-trenches-blog-44. 

—Michael Dragone 


IT teams are often overwhelmed with 
keeping pace with just their key vendors, 
let alone the smaller ones that supply an 
application used by only a few people. 
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Qualys Unveils BrowserCheck Business Edition 


Software as a Service (SaaS) security 
vendor Qualys has just announced a 
Business Edition of their free BrowserCheck 
web browser vulnerability assessment 
tool. Browser security has become a more 
pressing issue for organizations of all sizes, 
and this latest Qualys tool provides some 
business-friendly features that administra¬ 
tors should find useful. 

BrowserCheck Business Edition provides 
system administrators with a manage¬ 
ment console that lets them track browser 
usage by users in their IT environment. 

This feature lets admins look at the state of 
browser security across the company, and 
informs them when specific machines have 
outdated browsers in need of patching. 

Users can also use the free tool—accessible 
by a unique BrowserCheck URL that Qualys 

Is the App Store No 

In the past few years of the smartphone 
market, the strength of a mobile platform's 
app store has been a strong indicator for 
popularity and success. Apple's App Store 
and Android's Marketplace both have 
several hundred thousand applications, 
compared to BlackBerry and Windows 
Phone's numbers in the tens of thousands. 

However, the trend might be shifting 
away from the importance of the app store. 
One reason is because as mobile develop¬ 
ment explodes, there's money out there for 
everyone, meaning that most of the very 
popular, very attractive apps are coming 
out on all the platforms. But there's another 
trend on the horizon: cross-platform appli¬ 
cation access. 

It started with the announcement that 
the BlackBerry Playbook would be able to 
run Android apps. Just recently, a company 
called BlueStacks joined the mobile space 
with a solution to run Android applications 
on Windows. (Windows desktop that is, not 
phone.) 

The way that BlueStacks does this, no 
surprise, is virtualization. But, while the 
solution is not available yet, it looks pretty 
clean and seamless. And the track record 


provides for free—to examine their own 
browser security. 

Qualys CTO Wolfgang Kandek says 
that the existing version of BrowserCheck 
has more than 500,000 users since it was 
launched, and they've added support 
for browsers running on Linux, Mac, and 
Android devices. "The feedback we've 
received from users has been very positive," 
Kandek says. "Our business edition allows 
admins to sign up for a free account on 
BrowserCheck, create a unique URL they 
can provide to their users, and then they 
can use the admin interface to see the 
collective results of the scan and make any 
corrective actions if needed." 

In a statement announcing the avail¬ 
ability of BrowserCheck Business Edition, 
Gartner Analyst Avivah Litan stressed the 


of Rosen Sharma, CEO of BlueStacks (on his 
seventh start up) indicates that the offering 
is going to be a hit. 

OK, so what does this mean for app 
stores in general? If BlueStacks'solution is a 
hit, they will most likely expand their offer¬ 
ing to other platforms (Mac, BlackBerry, 


Windows Phone, etc.). And if everyone can 
access Android applications, that will shift 
developers toward using Android. 

Or, maybe BlueStacks won't catch on, 
either because users just aren't that con¬ 
cerned about accessing Android (because 
they have the apps they need on their other 
platforms), or because the solution doesn't 
deliver as promised. But if the former is true, 
then already the app store battle is largely 
over. I'm betting that BlueStacks will be a 
success, so I don't expect the latter. 


importance of browser security. "Secure 
web browsing is a growing concern for 
IT security. As employees increasingly 
access important information and use 
applications through their web browsers, 
malicious users are targeting their attacks 
on security vulnerabilities in out-of-date 
browsers and their plug-ins," Litan said. 
"Providing a way for IT administrators to 
assess browser security across an organi¬ 
zation, and tools for users to keep their 
browsers and browser plug-ins up to date 
can help protect company data from mali¬ 
cious activity." 

Are you concerned about the state of 
browser security in your organization? Let 
me know what you think by starting up a 
conversation on Twitter (@jeffjames3). 

—Jeff James 


One question that remains unanswered 
is whether current security issues with 
Android will be addressed. That's one thing 
that may keep Android from expanding 
across desktop and mobile OSs. 

So what's next? Expect to see the 
BlueStacks solution pre-packaged with 


Windows 7 notebooks and tablets, avail¬ 
able through enterprise distribution with 
Citrix and Microsoft, and available as a 
downloadable app, all this year. 

Regardless of how this affects the 
market as a whole, it means good things 
for enterprises. Companies can develop 
home-grown applications on Android, or 
standardize across public Android applica¬ 
tions, and make them available to any 
employees. ^ 

—Brian Reinholz 


Companies can develop home-grown 
applications on Android, or standardize 
across public Android applications, and 
make them available to any employees. 
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WINDOWS IT PRO EDITORS: 


Li n ked I n : To check out the Windows IT Pro 
group on Linkedln, sign in on the Linkedln 
homepage (www.linkedin.com), select the Search 
Groups option from the pull-down menu, and use 
"Windows IT Pro" as your search term. 

Face book: We've created a page on Face- 
book for Windows IT Pro, which you can access 
at: http://tinyurl.com/d5bquf.Visit our Facebook 
page to read the latest reader comments, see links 
to our latest web content, browse our classic cover 
gallery, and participate in our Facebook discus¬ 
sion board. 
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www.twitter.com/windowsitpro. 
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Ctrl+Alt+Del 

by Jason Bovberg 

Unearthing the Truth 


GET YOUR FAKE APPLE NEWS HERE! 

This month, we ; re getting quite a kick out of the Onion brand of 
fake Apple news at Scoopertino (scoopertino.com)—a satirical 
news organization that publishes “all the news that's fit to fabricate." 
The site's tongue-in-cheek writers do a great job of reporting all the 
Apple-related news around the Interwebs, whether or not that news 
is actually true. The humor is hilarious, and the community is grow¬ 
ing. Scoopertino recently got a lot of its own press when its fake letter 
from Sean Connery to Steve Jobs went viral. Check out “EXPOSED: 
The iMac disaster that almost was" (scoopertino.com/exposed-the- 
imac-disaster-that-almost-was) to see the letter. And stay for more! 




IT PRO OF THE YEAR! 


To celebrate Systems Administrator Appreciation Day—which falls on July 29,2011, this year —Windows IT Pro is sponsoring a contest 
for readers to submit (and vote on) the best IT pro of the year. Our top 10 finalists will be announced on July 29—just after this issue 
reaches your hands. We're looking for IT pros' most creative, ingenuous success stories. IT pros have submitted their essays describing 
why they should be considered IT Pro of the Year. Now, it's your turn to pick a winner from among those 10 finalists! Go to our Awards 
Central page atwww.windowsitpro.com/awards/systems-administrator-of-the-year to cast your vote! 

L 


PRODUCT OF THE MONTH 

Our favorite product this month involves a tee-shirt. UK-based 
Orange has come up with a mobile charging technology—the 
Orange Sound Charge—that powers mobile phones using sound. 

This “green" charging device uses an existing technology called 
Piezoelectric film in a revolutionary way, allowing people to charge their 
mobile phones while enjoying their favorite music. A panel of the film is housed 
inside a tee-shirt, which then, according to the company, “acts much like an 
oversized microphone by absorbing invisible sound-pressure waves. These 
sound waves are converted via the compression of interlaced quartz crystals 
into an electrical charge, which is fed into an integral reservoir battery that in 
turn charges most makes and models of mobile phone." For more information, 
go to newsroom.orange.co.uk/2011 /06/20/turn-it-up-to-11 -orange-unveils- 
the-sound-charge-2011. 
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we Ye not just 
making servers, 
we're making 
server history 

While innovation comes rapidly in the IT industry, 
basic server architectures haven't changed for 
decades. That’s why Cisco answered the need for 
innovation by introducing the Cisco Unified Computing 
System - which integrates compute, high-speed 
networking, storage access and virtualization in one 
system. Since its introduction, !T departments have 
dramatically reduced data center complexity while: 

• Lowering operating costs by up to 30% 

■ Reducing Microsoft deployment times from weeks 
to minutes 

• Harnessing the power of the UCS architecture for 
Microsoft Window Server and Exchange, SharePoint, 
and SQL Server deployments 

The Cisco Unified Computing System, powered by 
intelligent Intel® Xeon® processors, signals the next 
evolution of the data center - where everything, 
and everyone, works together like never before. 

Find out more at www.cisco.com/go/microsoft 
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Virtualize 
more with 
WebSphere. 

Or pay 
more with 
WebLogic. 

Over 400 highly logical reasons to choose IBM WebSphere 1 over Oracle WebLogic*: 

1. Save 57% on first-year licensing and support. 

2. Choose from more virtualization options (including VMware and Xen). 

3. Pay only for cores you use (not always true with Oracle WebLogic). 

4-404, Be in good company (last year, over 400 Oracle WebLogic clients 
chose IBM WebSphere). 

ibm.com/facts 
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